CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Description
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (57)
page 3 of 3| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-56769 | 0.00 | — | 0.00 | Sep 25, 2025 | An issue was discovered in chinabugotech hutool before 5.8.4 allowing attackers to execute arbitrary expressions that lead to arbitrary method invocation and potentially remote code execution (RCE) via the QLExpressEngine class. | |||
| CVE-2022-45855 | — | 0.00 | — | 0.01 | Jul 12, 2023 | SpringEL injection in the metrics source in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7. | ||
| CVE-2022-42009 | — | 0.00 | — | 0.01 | Jul 12, 2023 | SpringEL injection in the server agent in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7. | ||
| CVE-2023-32200 | 0.00 | — | 0.01 | Jul 12, 2023 | There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. It allows a remote user to execute javascript via a SPARQL query. This issue affects Apache Jena: from 3.7.0 through 4.8.0. | |||
| CVE-2023-22665 | 0.00 | — | 0.01 | Apr 25, 2023 | There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query. | |||
| CVE-2023-20863 | — | 0.00 | — | 0.01 | Apr 13, 2023 | In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. | ||
| CVE-2023-20861 | 0.00 | — | 0.01 | Mar 23, 2023 | In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. | |||
| CVE-2022-23504 | 0.00 | — | 0.01 | Dec 14, 2022 | TYPO3 is an open source PHP based web content management system. Versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are subject to Sensitive Information Disclosure. Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend… | |||
| CVE-2022-23463 | — | 0.00 | — | 0.02 | Sep 24, 2022 | Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes… | ||
| CVE-2022-24847 | 0.00 | — | 0.01 | Apr 13, 2022 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code… | |||
| CVE-2021-28170 | 0.00 | — | 0.02 | May 26, 2021 | In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid. | |||
| CVE-2021-21479 | — | 0.00 | — | 0.10 | Feb 9, 2021 | In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availability and integrity of the system. | ||
| CVE-2020-15143 | — | 0.00 | — | 0.02 | Aug 19, 2020 | In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating… | ||
| CVE-2020-15146 | — | 0.00 | — | 0.02 | Aug 19, 2020 | In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, request parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that… | ||
| CVE-2020-9296 | 0.00 | — | 0.02 | Jun 16, 2020 | Netflix Titus uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message… | |||
| CVE-2020-1959 | — | 0.00 | — | 0.05 | May 4, 2020 | A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom… | ||
| CVE-2009-1275 | 0.00 | — | 0.03 | Apr 9, 2009 | Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified… |
- CVE-2025-56769Sep 25, 2025risk 0.00cvss —epss 0.00
An issue was discovered in chinabugotech hutool before 5.8.4 allowing attackers to execute arbitrary expressions that lead to arbitrary method invocation and potentially remote code execution (RCE) via the QLExpressEngine class.
- CVE-2022-45855Jul 12, 2023risk 0.00cvss —epss 0.01
SpringEL injection in the metrics source in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7.
- CVE-2022-42009Jul 12, 2023risk 0.00cvss —epss 0.01
SpringEL injection in the server agent in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7.
- CVE-2023-32200Jul 12, 2023risk 0.00cvss —epss 0.01
There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. It allows a remote user to execute javascript via a SPARQL query. This issue affects Apache Jena: from 3.7.0 through 4.8.0.
- CVE-2023-22665Apr 25, 2023risk 0.00cvss —epss 0.01
There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query.
- CVE-2023-20863Apr 13, 2023risk 0.00cvss —epss 0.01
In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
- CVE-2023-20861Mar 23, 2023risk 0.00cvss —epss 0.01
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
- CVE-2022-23504Dec 14, 2022risk 0.00cvss —epss 0.01
TYPO3 is an open source PHP based web content management system. Versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are subject to Sensitive Information Disclosure. Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend…
- CVE-2022-23463Sep 24, 2022risk 0.00cvss —epss 0.02
Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes…
- CVE-2022-24847Apr 13, 2022risk 0.00cvss —epss 0.01
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code…
- CVE-2021-28170May 26, 2021risk 0.00cvss —epss 0.02
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
- CVE-2021-21479Feb 9, 2021risk 0.00cvss —epss 0.10
In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availability and integrity of the system.
- CVE-2020-15143Aug 19, 2020risk 0.00cvss —epss 0.02
In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating…
- CVE-2020-15146Aug 19, 2020risk 0.00cvss —epss 0.02
In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, request parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that…
- CVE-2020-9296Jun 16, 2020risk 0.00cvss —epss 0.02
Netflix Titus uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message…
- CVE-2020-1959May 4, 2020risk 0.00cvss —epss 0.05
A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom…
- CVE-2009-1275Apr 9, 2009risk 0.00cvss —epss 0.03
Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified…