CVE-2026-40986

Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker...

CVE-2026-40985

Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1...

CVE-2026-40986

Spring Web Flow vulnerability: JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not text/html, enabling a scripting attack if server error details containing attacker-reflected input are returned. Affected versions: Spring Web Flow 4.0.0; 3.0.0–3....

CVE-2026-40986 Spring Web Flow JS RemotingHandler renders non-HTML Response as HTML

Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker...

EUVD-2026-36201

Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker...

CVE-2026-40985 Data Binding Vulnerability in Spring Web Flow with Unified EL Parser

Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1...

EUVD-2026-36200

Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1...

CVE-2026-40985

CVE-2026-40985 affects Spring Web Flow where configurations use the WebFlowELExpressionParser. The vulnerability arises from processing Unified EL expressions, allowing a crafted expression to influence behavior. Affected versions are Spring Web Flow 4.0.0; 3.0.0–3.0.1; and 2.5.0–2.5.1. The conne...

PT-2026-48614

Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker...

PT-2026-48613

Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1...

EUVD-2022-4886

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2017-8039

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding proper...

Linux Distros Unpatched Vulnerability : CVE-2017-4971

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding proper...

RHEL 7 : jasperreports-server-pro (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - jackson-databind: Unsafe deserialization due to incomplete black list incomplete fix for CVE-2017-15095...

RHEL 7 : spring-webflow (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - spring-webflow: Data Binding Expression Vulnerability in Spring Web Flow CVE-2017-8039 - An issue was...

Spring Web Flow 3.0 M1 Released

It has been almost 4 years since the last set of Spring Web Flow releases. Nevertheless, the project continues to serve a specific need particularly well, arguably better than alternatives, and remains in active use. While there hasnt been a strong driver for new releases, the upcoming Spring...

Insecure Default Initialization of Resource in Pivotal Spring Web Flow

An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default i.e., set to 'false' can be vulnerable to malicious EL expressions in view states that process form...

GHSA-Q4V9-QJMW-J7VF Insecure Default Initialization of Resource in Pivotal Spring Web Flow

An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default i.e., set to 'false' can be vulnerable to malicious EL expressions in view states that process form...

GHSA-FG9W-CFFM-PMH2 Insecure Default Initialization of Resource in Pivotal Spring Web Flow

An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default i.e., set to 'false' can be vulnerable to malicious EL expressions in view states that process form...

Security Bulletin: IBM Security Guardium is affected by a Using Components with Known Vulnerabilities vulnerability

Summary IBM Security Guardium has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2017-8039 DESCRIPTION: Pivotal Spring Web Flow could provide weaker than expected security, caused by an error related to applications that do not change the value of the...