Critical severityNVD Advisory· Published Feb 2, 2024· Updated Dec 17, 2025

CVE-2024-22533

Description

Before Beetl v3.15.12, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager blacklist. Because blacklist filtering is not strict, the blacklist can be bypassed, leading to arbitrary code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Server-side template injection in Beetl before 3.15.12 allows blacklist bypass for remote code execution.

Vulnerability

Overview Beetl versions prior to 3.15.12 are vulnerable to server-side template injection (SSTI). The DefaultNativeSecurityManager applies a blacklist to filter malicious template expressions, but the filtering is insufficient and can be bypassed [1][3].

Exploitation

An attacker who can control the template content—for instance, through user-supplied input that is rendered without proper sanitization—can craft a payload that evades the blacklist. This allows the injection of arbitrary Java code or expressions, leading to remote code execution [3].

Impact

Successful exploitation grants the attacker the ability to execute arbitrary code on the server, potentially compromising the entire application and underlying infrastructure.

Mitigation

The issue is fixed in Beetl version 3.15.12. Users should upgrade to this version or later [2]. There is no workaround available if the template source is untrusted.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.ibeetl:beetl-coreMaven	< 3.15.13.RELEASE	3.15.13.RELEASE

Affected products

Beetl/Beetldescription
Beetl/Beetlllm-create
Range: <3.15.12
ghsa-coords
pkg:maven/com.ibeetl/beetl-core
Range: < 3.15.13.RELEASE

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-9gh8-877r-g477ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-22533ghsaADVISORY
gitee.com/xiandafu/beetl/issues/I8RU01ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000