A vulnerability marked as problematic has been reported in Vmware Spring Web Flow up to 2.5.1/3.0.1/4.0.0 . Impacted is an unknown function. Performing a manipulation results in cross site scripting. This vulnerability was named CVE-2026-40986 . The attack may be initiated remotely. There is no available exploit. It is suggested to upgrade the affected component.