VYPR

CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

BaseIncomplete

Description

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

Frameworks such as Java Server Page (JSP) allow a developer to insert executable expressions within otherwise-static content. When the developer is not aware of the executable nature of these expressions and/or does not disable them, then if an attacker can inject expressions, this could lead to code execution or other unexpected behaviors.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (57)

page 2 of 3
  • CVE-2025-41253HigOct 16, 2025
    risk 0.49cvss 7.5epss 0.00

    The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be considered vulnerable when all the following are true: * The application is using…

  • CVE-2026-26462HigMay 18, 2026
    risk 0.47cvss 7.3epss 0.00

    Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation, allowing JavaScript executed in the renderer process to access Node.js APIs…

  • CVE-2026-8759HigMay 17, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was identified in xiandafu beetl up to 3.20.2. Affected is an unknown function of the file beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java of the component SpELFunction. The manipulation leads to improper…

  • CVE-2026-41883HigMay 8, 2026
    risk 0.46cvss 8.1epss 0.00

    OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution (RCE). This affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g.…

  • CVE-2026-28201HigMay 7, 2026
    risk 0.44cvss 7.8epss 0.00

    An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment,…

  • CVE-2026-40985MedJun 11, 2026
    risk 0.42cvss 6.4epss 0.00

    Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.

  • CVE-2026-41719MedJun 10, 2026
    risk 0.42cvss 6.4epss 0.00

    A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator. Affected versions: Spring Data KeyValue / Spring Data Redis 4.0.0 through 4.0.5;…

  • CVE-2026-31380MedMay 19, 2026
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

  • CVE-2011-4343HigAug 8, 2017
    risk 0.42cvss 7.5epss 0.05

    Information disclosure vulnerability in Apache MyFaces Core 2.0.1 through 2.0.10 and 2.1.0 through 2.1.4 allows remote attackers to inject EL expressions via crafted parameters.

  • CVE-2024-12798MedDec 19, 2024
    risk 0.31cvss epss 0.00

    ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an…

  • CVE-2021-45046KEVDec 14, 2021
    risk 0.29cvss epss 1.00

    It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout…

  • CVE-2021-44228KEVDec 10, 2021
    risk 0.29cvss epss 1.00

    Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log…

  • CVE-2024-4286MedMay 26, 2024
    risk 0.25cvss 4.9epss 0.00

    Mintplex-Labs' anything-llm application is vulnerable to improper neutralization of special elements used in an expression language statement, identified in the commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. The vulnerability arises from the application's handling of user…

  • CVE-2022-22963KEVApr 1, 2022
    risk 0.23cvss epss 1.00

    In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

  • CVE-2022-22947KEVMar 3, 2022
    risk 0.23cvss epss 0.98

    In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote…

  • CVE-2020-17530KEVDec 11, 2020
    risk 0.23cvss epss 0.96

    Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

  • CVE-2020-10199KEVApr 1, 2020
    risk 0.23cvss epss 0.99

    Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).

  • CVE-2021-31805Apr 12, 2022
    risk 0.08cvss epss 0.85

    The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted…

  • CVE-2022-22980Jun 22, 2022
    risk 0.07cvss epss 0.17

    A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.

  • CVE-2026-24713Mar 9, 2026
    risk 0.00cvss epss 0.01

    Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.