Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-4ut8-z444-puhf
Vulnerability ID VCID-4ut8-z444-puhf
Aliases CVE-2014-1904
GHSA-ff7p-jqjm-v66h
Summary Cross-site scripting flaw Cross-site scripting (XSS) vulnerability in `web/servlet/tags/form/FormTag.java` in Spring MVC in this package allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
generic_textual MODERATE http://docs.spring.io/spring/docs/3.2.8.RELEASE/changelog.txt
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2014-0400.html
epss 0.0181 https://api.first.org/data/v1/epss?cve=CVE-2014-1904
generic_textual MODERATE http://seclists.org/fulldisclosure/2014/Mar/101
generic_textual MODERATE http://secunia.com/advisories/57915
generic_textual MODERATE https://github.com/spring-projects/spring-framework
generic_textual MODERATE https://github.com/spring-projects/spring-framework/commit/741b4b229ae032bd17175b46f98673ce0bd2d485
generic_textual MODERATE https://github.com/spring-projects/spring-framework/commit/75e08695a04980dbceae6789364717e9d8764d58#diff-5c29d6685335045274d9908c5cd45e45
generic_textual MODERATE https://jira.springsource.org/browse/SPR-11426
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2014-1904
Reference id Reference type URL
http://docs.spring.io/spring/docs/3.2.8.RELEASE/changelog.txt
http://rhn.redhat.com/errata/RHSA-2014-0400.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-1904.json
https://api.first.org/data/v1/epss?cve=CVE-2014-1904
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0054
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1904
http://seclists.org/fulldisclosure/2014/Mar/101
http://secunia.com/advisories/57915
https://github.com/spring-projects/spring-framework
https://github.com/spring-projects/spring-framework/commit/741b4b229ae032bd17175b46f98673ce0bd2d485
https://github.com/spring-projects/spring-framework/commit/75e08695a04980dbceae6789364717e9d8764d58
https://github.com/spring-projects/spring-framework/commit/75e08695a04980dbceae6789364717e9d8764d58#diff-5c29d6685335045274d9908c5cd45e45
https://jira.springsource.org/browse/SPR-11426
https://nvd.nist.gov/vuln/detail/CVE-2014-1904
1075296 https://bugzilla.redhat.com/show_bug.cgi?id=1075296
741604 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741604
CVE-2014-1904 https://bugzilla.redhat.com/CVE-2014-1904
CVE-2014-1904 http://www.gopivotal.com/security/cve-2014-1904
RHSA-2014:0400 https://access.redhat.com/errata/RHSA-2014:0400
RHSA-2014:0401 https://access.redhat.com/errata/RHSA-2014:0401
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.83173
EPSS Score 0.0181
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:36:14.330453+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-webmvc/CVE-2014-1904.yml 38.6.0