CVE-2026-40985 | Vmware Spring Web Flow up to 2.5.1/3.0.1/4.0.0 expression language injection (EUVD-2026-36200 / CNNVD-202606-3069)
A vulnerability was found in Vmware Spring Web Flow up to 2.5.1/3.0.1/4.0.0. It has been classified as problematic. The impacted element is an unknown function. This manipulation causes improper neutralization of special elements used in an expression language statement.
This vulnerability appears as CVE-2026-40985. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is recommended.