CVE Catalog
CVE-2026-40985
MediumCVSS 6.4Exploitation Probability (EPSS)
Low risk0.23%
13th percentile — higher than 13% of all known CVEs
Summary
Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions.
Risk Assessment
Exploitation of this vulnerability may lead to unauthorized code execution in applications, posing a serious security threat to the organization.
Recommendation
It is recommended to upgrade to the latest version of Spring Web Flow to mitigate the risk associated with this vulnerability.
Original NVD description (English source)
Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.

