Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Non-default WebFlowELExpressionParser configuration drives AC:H; authenticated low-privilege access and required user interaction are independently confirmed by CVSS PR:L and UI:R; no availability impact per description.
Primary rating from Vendor (vmware).
CVSS VectorVendor: vmware
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions.
Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.
AnalysisAI
Expression Language Injection in Spring Web Flow exposes applications explicitly configured with WebFlowELExpressionParser to evaluation of malicious Unified EL expressions submitted by authenticated low-privilege users. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; exploitation requires both non-default configuration and user interaction, which meaningfully constrains real-world risk despite the High confidentiality and integrity impact ratings. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Technical ContextAI
Spring Web Flow (cpe:2.3:a:spring:spring_web_flow:*:*:*:*:*:*:*:*) is a Java framework built on Spring MVC that manages stateful, multi-step web application flows. The WebFlowELExpressionParser is an optional component that integrates the Java Unified Expression Language (EL) engine to evaluate expressions during flow execution - used for binding, validation, navigation decisions, and model access. CWE-917 (Expression Language Injection) describes the root cause: user-controlled input reaches an EL evaluator without adequate sanitization, allowing an attacker-supplied string to be interpreted as executable EL rather than literal data. This class of vulnerability is historically significant in the Spring ecosystem (cf. Spring Framework EL injection issues) and can expose server-side object graphs, invoke arbitrary Java methods available on the EL context, or alter application state depending on what objects are bound to the EL context at the time of evaluation.
RemediationAI
Consult the vendor advisory at https://spring.io/security/cve-2026-40985 for the exact patched release versions, as specific fix version numbers were not included in the available intelligence data and should not be inferred. The primary fix is upgrading to a patched release of Spring Web Flow once published by VMware/Broadcom. As an immediate compensating control, teams that do not require Unified EL expression evaluation should remove or replace the WebFlowELExpressionParser configuration - this eliminates the vulnerable code path entirely and carries minimal functional impact for applications not relying on this parser. Applications that must retain EL expression evaluation should enforce strict input validation and allowlisting on any user-supplied strings that could enter the EL evaluation context, and should restrict access to affected flow endpoints to authenticated, trusted users where possible. The UI:R requirement suggests that restricting who can trigger the relevant flow transitions may further limit exposure.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36200
GHSA-9ggw-87m9-9gfc