Spring Web Flow: EL Injection via WebFlowELExpressionParser (v4.0.0,3.x,2.x)
CVE-2026-40985 Published on June 11, 2026
Data Binding Vulnerability in Spring Web Flow with Unified EL Parser
Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions.
Affected versions:
Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.
Vulnerability Analysis
CVE-2026-40985 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an EL Injection Vulnerability?
The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
CVE-2026-40985 has been classified to as an EL Injection vulnerability or weakness.
Products Associated with CVE-2026-40985
Want to know whenever a new CVE is published for VMware Spring Framework? stack.watch will email you.
Affected Versions
Spring Web Flow:- Version 4.0.0 and below 4.0.1 is affected.
- Version 3.0.0 and below 3.0.2 is affected.
- Version 2.5.0 and below 2.5.2 is affected.