CVE Catalog

CVE-2026-40985

MediumCVSS 6.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

13th percentile — higher than 13% of all known CVEs

Summary

Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions.

Risk Assessment

Exploitation of this vulnerability may lead to unauthorized code execution in applications, posing a serious security threat to the organization.

Recommendation

It is recommended to upgrade to the latest version of Spring Web Flow to mitigate the risk associated with this vulnerability.

Original NVD description (English source)

Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS