Skip to main content

Spring Web Flow

4 CVEs product

Monthly

CVE-2026-40986 MEDIUM PATCH This Month

Reflected XSS in Spring Web Flow's JavaScript RemotingHandler allows an authenticated attacker to inject and execute arbitrary scripts in a victim's browser by embedding malicious content in input that the server reflects within error response bodies. The RemotingHandler renders these error bodies as HTML regardless of the declared Content-Type, bypassing MIME-type enforcement. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; no public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Java XSS Spring Web Flow
NVD HeroDevs VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-40985 MEDIUM PATCH This Month

Expression Language Injection in Spring Web Flow exposes applications explicitly configured with WebFlowELExpressionParser to evaluation of malicious Unified EL expressions submitted by authenticated low-privilege users. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; exploitation requires both non-default configuration and user interaction, which meaningfully constrains real-world risk despite the High confidentiality and integrity impact ratings. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Java Information Disclosure Spring Web Flow
NVD VulDB HeroDevs
CVSS 3.1
6.4
EPSS
0.0%
CVE-2017-8039 Maven MEDIUM PATCH This Month

An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Java Information Disclosure Spring Web Flow
NVD
CVSS 3.0
5.9
EPSS
0.2%
CVE-2017-4971 Maven MEDIUM PATCH This Month

An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 75.4%.

Java Information Disclosure Spring Web Flow
NVD
CVSS 3.0
5.9
EPSS
75.4%
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Reflected XSS in Spring Web Flow's JavaScript RemotingHandler allows an authenticated attacker to inject and execute arbitrary scripts in a victim's browser by embedding malicious content in input that the server reflects within error response bodies. The RemotingHandler renders these error bodies as HTML regardless of the declared Content-Type, bypassing MIME-type enforcement. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; no public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Java XSS Spring Web Flow
NVD HeroDevs VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Expression Language Injection in Spring Web Flow exposes applications explicitly configured with WebFlowELExpressionParser to evaluation of malicious Unified EL expressions submitted by authenticated low-privilege users. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; exploitation requires both non-default configuration and user interaction, which meaningfully constrains real-world risk despite the High confidentiality and integrity impact ratings. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Java Information Disclosure Spring Web Flow
NVD VulDB HeroDevs
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Java Information Disclosure Spring Web Flow
NVD
EPSS 75% CVSS 5.9
MEDIUM PATCH This Month

An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 75.4%.

Java Information Disclosure Spring Web Flow
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy