Skip to main content

CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement

167 CVEs Avg CVSS 8.9 MITRE
65
CRITICAL
91
HIGH
10
MEDIUM
0
LOW
16
POC
6
KEV

Monthly

CVE-2026-11561 CRITICAL PATCH Act Now

Expression language injection in Soagen Informatics' Apinizer API management platform versions 2026.04.0 through 2026.04.5 allows remote unauthenticated attackers to inject malicious EL expressions that the server evaluates, resulting in arbitrary code execution. The flaw was reported by Turkey's national CERT (TR-CERT) and carries a CVSS 9.8 critical rating, though SSVC currently indicates no observed exploitation and no public exploit identified at time of analysis. A vendor patch is available in version 2026.04.6.

Code Injection Apinizer
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-40985 MEDIUM PATCH This Month

Expression Language Injection in Spring Web Flow exposes applications explicitly configured with WebFlowELExpressionParser to evaluation of malicious Unified EL expressions submitted by authenticated low-privilege users. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; exploitation requires both non-default configuration and user interaction, which meaningfully constrains real-world risk despite the High confidentiality and integrity impact ratings. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Java Information Disclosure Spring Web Flow
NVD VulDB HeroDevs
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-41729 HIGH PATCH This Week

Server-Side Expression Language (SpEL) injection in Spring Data REST allows authenticated remote attackers to execute arbitrary expressions by sending JSON Patch requests targeting Map-typed entity properties. Affected versions span 3.7.0 through 5.0.5, and successful exploitation yields high confidentiality and integrity impact (CVSS 8.1). No public exploit identified at time of analysis, but the low attack complexity and network reachability make this a credible threat to any exposed REST repository accepting application/json-patch+json.

Code Injection Java Spring Data Rest
NVD HeroDevs
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-41719 MEDIUM PATCH This Month

SpEL (Spring Expression Language) injection in Spring Data KeyValue and Spring Data Redis allows a network-accessible, low-privileged attacker to execute arbitrary SpEL expressions when applications pass unsanitized user-controlled Sort parameters directly to repository query methods delegating to SpelPropertyComparator. Affected versions span eight major release lines from 2.7.x through 4.0.x, making the exposure surface broad across Spring-based Java ecosystems. No public exploit identified at time of analysis and no CISA KEV listing, but the high confidentiality impact rating and network attack vector warrant prompt patching for any application that surfaces Sort query parameters to end users.

Code Injection Java Redis
NVD HeroDevs
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-41717 HIGH PATCH This Week

Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered during parameter binding for repository methods annotated with @Query that use a capture-all placeholder. With CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) and no public exploit identified at time of analysis, unauthenticated attackers who can influence query parameters reaching such a method could execute arbitrary SpEL expressions on the server.

Code Injection Java Spring Data Mongodb
NVD HeroDevs
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-2587 Maven CRITICAL PATCH GHSA Act Now

{7*7} which the server evaluates to 49. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

RCE Eclipse Glassfish
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-31380 MEDIUM PATCH This Month

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Apache Code Injection
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-26462 HIGH This Week

Remote code execution in Offline Hospital Management System 5.3.0 stems from an insecure Electron renderer configuration where Node.js integration is enabled while context isolation is disabled, allowing JavaScript in the renderer to invoke Node.js APIs and run arbitrary OS commands. The flaw carries a CVSS 7.3 with network attack vector and no privileges required, though EPSS is low at 0.06% and no public exploit identified at time of analysis beyond a Medium write-up describing the technique.

Node.js RCE
NVD VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-8759 Maven MEDIUM POC This Month

Expression language injection in Beetl template engine versions up to 3.20.2 enables remote attackers to execute arbitrary expressions through the SpELFunction component. The vulnerability stems from improper neutralization of special elements in Spring Expression Language (SpEL) processing, with publicly available exploit code and no vendor response despite early notification. CVSS 7.3 indicates moderate severity with confirmed remote exploitability.

Java Information Disclosure
NVD VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-41705 Maven HIGH PATCH GHSA This Week

Filter-expression injection in Spring AI's MilvusVectorStore allows remote unauthenticated attackers to manipulate vector database queries by injecting malicious filter expressions through unsanitized document IDs. Affects Spring AI 1.0.0-1.0.6 and 1.1.0-1.1.5. VMware has released patches in versions 1.0.7 and 1.1.6. CVSS 8.6 (High) with network attack vector and no privileges required. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.

Code Injection Java
NVD
CVSS 3.1
8.6
EPSS
0.0%
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Expression language injection in Soagen Informatics' Apinizer API management platform versions 2026.04.0 through 2026.04.5 allows remote unauthenticated attackers to inject malicious EL expressions that the server evaluates, resulting in arbitrary code execution. The flaw was reported by Turkey's national CERT (TR-CERT) and carries a CVSS 9.8 critical rating, though SSVC currently indicates no observed exploitation and no public exploit identified at time of analysis. A vendor patch is available in version 2026.04.6.

Code Injection Apinizer
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Expression Language Injection in Spring Web Flow exposes applications explicitly configured with WebFlowELExpressionParser to evaluation of malicious Unified EL expressions submitted by authenticated low-privilege users. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; exploitation requires both non-default configuration and user interaction, which meaningfully constrains real-world risk despite the High confidentiality and integrity impact ratings. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Java Information Disclosure Spring Web Flow
NVD VulDB HeroDevs
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Server-Side Expression Language (SpEL) injection in Spring Data REST allows authenticated remote attackers to execute arbitrary expressions by sending JSON Patch requests targeting Map-typed entity properties. Affected versions span 3.7.0 through 5.0.5, and successful exploitation yields high confidentiality and integrity impact (CVSS 8.1). No public exploit identified at time of analysis, but the low attack complexity and network reachability make this a credible threat to any exposed REST repository accepting application/json-patch+json.

Code Injection Java Spring Data Rest
NVD HeroDevs
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

SpEL (Spring Expression Language) injection in Spring Data KeyValue and Spring Data Redis allows a network-accessible, low-privileged attacker to execute arbitrary SpEL expressions when applications pass unsanitized user-controlled Sort parameters directly to repository query methods delegating to SpelPropertyComparator. Affected versions span eight major release lines from 2.7.x through 4.0.x, making the exposure surface broad across Spring-based Java ecosystems. No public exploit identified at time of analysis and no CISA KEV listing, but the high confidentiality impact rating and network attack vector warrant prompt patching for any application that surfaces Sort query parameters to end users.

Code Injection Java Redis
NVD HeroDevs
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered during parameter binding for repository methods annotated with @Query that use a capture-all placeholder. With CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) and no public exploit identified at time of analysis, unauthenticated attackers who can influence query parameters reaching such a method could execute arbitrary SpEL expressions on the server.

Code Injection Java Spring Data Mongodb
NVD HeroDevs
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

{7*7} which the server evaluates to 49. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

RCE Eclipse Glassfish
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Apache Code Injection
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Remote code execution in Offline Hospital Management System 5.3.0 stems from an insecure Electron renderer configuration where Node.js integration is enabled while context isolation is disabled, allowing JavaScript in the renderer to invoke Node.js APIs and run arbitrary OS commands. The flaw carries a CVSS 7.3 with network attack vector and no privileges required, though EPSS is low at 0.06% and no public exploit identified at time of analysis beyond a Medium write-up describing the technique.

Node.js RCE
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Expression language injection in Beetl template engine versions up to 3.20.2 enables remote attackers to execute arbitrary expressions through the SpELFunction component. The vulnerability stems from improper neutralization of special elements in Spring Expression Language (SpEL) processing, with publicly available exploit code and no vendor response despite early notification. CVSS 7.3 indicates moderate severity with confirmed remote exploitability.

Java Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Filter-expression injection in Spring AI's MilvusVectorStore allows remote unauthenticated attackers to manipulate vector database queries by injecting malicious filter expressions through unsanitized document IDs. Affects Spring AI 1.0.0-1.0.6 and 1.1.0-1.1.5. VMware has released patches in versions 1.0.7 and 1.1.6. CVSS 8.6 (High) with network attack vector and no privileges required. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.

Code Injection Java
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy