https://github.com/apache/commons-lang/compare/rel/commons-lang-3.17.0...rel/commons-lang-3.18.0

Besides elytron use in core, in full WF this also affects the messaging-activemq and webservices subsystems, so ehugonne1@redhat.com and ropalka should have input. There are over 600 commits in the diff ^^^, so it's not trivial.

This fixes https://nvd.nist.gov/vuln/detail/CVE-2025-48924. That seems like a really minor CVE though, and I see no indication of our code (or deps) calling the ClassUtils.getClass(...) methods that were hardened. So, while this will eliminate WF getting flagged by scanners for the CVE, we're not IMHO actually affected by the CVE and the scanner issue shouldn't force an upgrade we're otherwise uncomfortable with.