A vulnerability was found in Vmware Spring Web Flow up to 2.5.1/3.0.1/4.0.0 . It has been classified as problematic . The impacted element is an unknown function. This manipulation causes improper neutralization of special elements used in an expression language statement. This vulnerability appears as CVE-2026-40985 . The attack may be initiated remotely. There is no available exploit. Upgrading the affected component is recommended.