PatchSiren cyber security CVE debrief
CVE-2026-40985 Spring CVE debrief
A vulnerability in Spring Web Flow allows malicious Unified EL expressions to be used when configuring the WebFlowELExpressionParser. This issue affects Spring Web Flow versions 4.0.0, 3.0.0 through 3.0.1, and 2.5.0 through 2.5.1.
- Vendor
- Spring
- Product
- Spring Web Flow
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of affected Spring Web Flow versions should review and update their configurations to mitigate this vulnerability.
Technical summary
The vulnerability has a CVSS score of 6.4 and is classified as MEDIUM severity. It can be exploited with a CVSS vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N.
Defensive priority
MEDIUM
Recommended defensive actions
- Review and update Spring Web Flow configurations to prevent malicious Unified EL expressions.
- Apply patches or updates for affected versions (4.0.0, 3.0.0-3.0.1, 2.5.0-2.5.1).
- Consult the official CVE record [cve-org] and NVD details [nvd] for further information.
Evidence notes
Evidence suggests that the vendor is likely related to Spring, based on information from [source-item].
Official resources
-
CVE-2026-40985 CVE record
CVE.org
-
CVE-2026-40985 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-40985 was published on 2026-06-11T05:16:33.757Z and modified on 2026-06-11T15:21:30.653Z.