High severity7.3NVD Advisory· Published May 17, 2026· Updated May 18, 2026

CVE-2026-8759

Description

A vulnerability was identified in xiandafu beetl up to 3.20.2. Affected is an unknown function of the file beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java of the component SpELFunction. The manipulation leads to improper neutralization of special elements used in an expression language statement. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Expression language injection in beetl's SpELFunction (≤3.20.2) allows remote code execution with public exploit available.

Root

Cause CVE-2026-8759 is an improper neutralization of special elements in an expression language statement within the SpELFunction component of xiandafu beetl, versions up to 3.20.2 [1]. The vulnerability resides in the file beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java [1]. The function fails to sanitize user-supplied input before evaluating it as a Spring Expression Language (SpEL) expression, allowing arbitrary code execution [2].

Exploitation

An attacker can exploit this vulnerability remotely without authentication by crafting a malicious input that is passed to the SpELFunction [1]. The exploit is publicly available, increasing the immediate risk [1]. No special privileges or network position beyond reachability of the affected endpoint are required [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code on the server with the privileges of the application [1]. This can lead to full compromise of the application and underlying system, including data theft, service disruption, or further lateral movement [1].

Mitigation

As of the publication date, the vendor has been informed via an issue report but has not responded or released a patch [1][2]. Users are advised to disable the SpELFunction if possible, apply input validation, or monitor for updates to beetl [1][2].

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Xiandafu/Beetl Bbsllm-fuzzy
Range: <=3.20.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.3/ 10

CVSS v45.5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.07%

VYPR risk score

Composite of severity, exploitation, and reach.

0.47medium

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-20
Improper Input Validation
CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CVE ID

CVE-2026-8759

Source code

gitee.com/xiandafu/beetl/