Spring Web Flow is a special sub-component of Spring. Spring Web Flow builds on Spring MVC and allows implementing the flows of a web application.
Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e. set to "false") can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.
Upgrade to the latest version of Spring Web Flow.
Apache Struts Remote Code Execution (S2-057)
Umbraco CMS TemplateService remote code execution
WordPress Plugin Jekyll Exporter Remote Code Execution (2.2.0)
WordPress 'wp-admin/options.php' Remote Code Execution Vulnerability (0.6.2 - 2.3.2)