VYPR

CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

BaseIncomplete

Description

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

Frameworks such as Java Server Page (JSP) allow a developer to insert executable expressions within otherwise-static content. When the developer is not aware of the executable nature of these expressions and/or does not disable them, then if an attacker can inject expressions, this could lead to code execution or other unexpected behaviors.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (57)

page 3 of 3
  • CVE-2025-56769Sep 25, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in chinabugotech hutool before 5.8.4 allowing attackers to execute arbitrary expressions that lead to arbitrary method invocation and potentially remote code execution (RCE) via the QLExpressEngine class.

  • CVE-2022-45855Jul 12, 2023
    risk 0.00cvss epss 0.01

    SpringEL injection in the metrics source in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7.

  • CVE-2022-42009Jul 12, 2023
    risk 0.00cvss epss 0.01

    SpringEL injection in the server agent in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7.

  • CVE-2023-32200Jul 12, 2023
    risk 0.00cvss epss 0.01

    There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. It allows a remote user to execute javascript via a SPARQL query. This issue affects Apache Jena: from 3.7.0 through 4.8.0.

  • CVE-2023-22665Apr 25, 2023
    risk 0.00cvss epss 0.01

    There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query.

  • CVE-2023-20863Apr 13, 2023
    risk 0.00cvss epss 0.01

    In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

  • CVE-2023-20861Mar 23, 2023
    risk 0.00cvss epss 0.01

    In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

  • CVE-2022-23504Dec 14, 2022
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system. Versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are subject to Sensitive Information Disclosure. Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend…

  • CVE-2022-23463Sep 24, 2022
    risk 0.00cvss epss 0.02

    Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes…

  • CVE-2022-24847Apr 13, 2022
    risk 0.00cvss epss 0.01

    GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code…

  • CVE-2021-28170May 26, 2021
    risk 0.00cvss epss 0.02

    In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

  • CVE-2021-21479Feb 9, 2021
    risk 0.00cvss epss 0.10

    In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availability and integrity of the system.

  • CVE-2020-15143Aug 19, 2020
    risk 0.00cvss epss 0.02

    In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating…

  • CVE-2020-15146Aug 19, 2020
    risk 0.00cvss epss 0.02

    In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, request parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that…

  • CVE-2020-9296Jun 16, 2020
    risk 0.00cvss epss 0.02

    Netflix Titus uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message…

  • CVE-2020-1959May 4, 2020
    risk 0.00cvss epss 0.05

    A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom…

  • CVE-2009-1275Apr 9, 2009
    risk 0.00cvss epss 0.03

    Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified…