VYPR

CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

BaseIncomplete

Description

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

Frameworks such as Java Server Page (JSP) allow a developer to insert executable expressions within otherwise-static content. When the developer is not aware of the executable nature of these expressions and/or does not disable them, then if an attacker can inject expressions, this could lead to code execution or other unexpected behaviors.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (57)

page 1 of 3
  • CVE-2010-1871HigKEVAug 5, 2010
    risk 0.79cvss 8.8epss 0.83

    JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only…

  • CVE-2025-41243CriSep 16, 2025
    risk 0.66cvss 10.0epss 0.03

    Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server…

  • CVE-2025-3322CriJun 6, 2025
    risk 0.65cvss epss 0.01

    An improper neutralization of inputs used in expression language allows remote code execution with the highest privileges on the server.

  • CVE-2018-12533CriJun 18, 2018
    risk 0.65cvss 9.8epss 0.21

    JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.

  • CVE-2026-11561CriJun 11, 2026
    risk 0.64cvss 9.8epss 0.00

    Improper neutralization of special elements used in an expression language statement ('expression language injection') vulnerability in Soagen Informatics Technologies Software and Consulting Inc. Apinizer allows Code Injection. This issue affects Apinizer: from 2026.04.0…

  • CVE-2026-39842CriApr 15, 2026
    risk 0.64cvss 9.9epss 0.01

    OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes user-supplied scripts via Nashorn's…

  • CVE-2018-12532CriJun 18, 2018
    risk 0.64cvss 9.8epss 0.07

    JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource's resource request, aka RF-14309.

  • CVE-2026-2587CriMay 19, 2026
    risk 0.62cvss 9.6epss 0.01

    A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL)…

  • CVE-2026-2586CriMay 19, 2026
    risk 0.59cvss 9.1epss 0.01

    An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application…

  • CVE-2026-41901CriMay 12, 2026
    risk 0.59cvss 9.0epss 0.00

    Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially…

  • CVE-2026-40478CriApr 17, 2026
    risk 0.59cvss 9.0epss 0.01

    Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it…

  • CVE-2026-40477CriApr 17, 2026
    risk 0.59cvss 9.0epss 0.01

    Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it…

  • CVE-2026-42811CriMay 4, 2026
    risk 0.57cvss 9.9epss 0.00

    In plain terms, Apache Polaris is supposed to issue short-lived GCS credentials that only work for one table's files, but a crafted namespace or table name can cause those credentials to work across the configured bucket instead. Apache Polaris builds Google Cloud Storage…

  • CVE-2026-22738CriMar 27, 2026
    risk 0.57cvss 9.8epss 0.01

    In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input…

  • CVE-2025-11175HigJan 30, 2026
    risk 0.57cvss epss 0.00

    Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup.This issue affects Mediawiki -…

  • CVE-2026-22729HigMar 18, 2026
    risk 0.56cvss 8.6epss 0.01

    A JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath…

  • CVE-2026-41729HigJun 10, 2026
    risk 0.53cvss 8.1epss 0.00

    Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded…

  • CVE-2026-41717HigJun 10, 2026
    risk 0.53cvss 8.1epss 0.00

    Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder. Affected versions: Spring…

  • CVE-2026-8888HigJun 3, 2026
    risk 0.49cvss 7.5epss 0.00

    Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic…

  • CVE-2026-41705HigMay 9, 2026
    risk 0.49cvss 8.6epss 0.00

    Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs. Spring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest…