CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement
Monthly
Expression language injection in Soagen Informatics' Apinizer API management platform versions 2026.04.0 through 2026.04.5 allows remote unauthenticated attackers to inject malicious EL expressions that the server evaluates, resulting in arbitrary code execution. The flaw was reported by Turkey's national CERT (TR-CERT) and carries a CVSS 9.8 critical rating, though SSVC currently indicates no observed exploitation and no public exploit identified at time of analysis. A vendor patch is available in version 2026.04.6.
Expression Language Injection in Spring Web Flow exposes applications explicitly configured with WebFlowELExpressionParser to evaluation of malicious Unified EL expressions submitted by authenticated low-privilege users. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; exploitation requires both non-default configuration and user interaction, which meaningfully constrains real-world risk despite the High confidentiality and integrity impact ratings. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Server-Side Expression Language (SpEL) injection in Spring Data REST allows authenticated remote attackers to execute arbitrary expressions by sending JSON Patch requests targeting Map-typed entity properties. Affected versions span 3.7.0 through 5.0.5, and successful exploitation yields high confidentiality and integrity impact (CVSS 8.1). No public exploit identified at time of analysis, but the low attack complexity and network reachability make this a credible threat to any exposed REST repository accepting application/json-patch+json.
SpEL (Spring Expression Language) injection in Spring Data KeyValue and Spring Data Redis allows a network-accessible, low-privileged attacker to execute arbitrary SpEL expressions when applications pass unsanitized user-controlled Sort parameters directly to repository query methods delegating to SpelPropertyComparator. Affected versions span eight major release lines from 2.7.x through 4.0.x, making the exposure surface broad across Spring-based Java ecosystems. No public exploit identified at time of analysis and no CISA KEV listing, but the high confidentiality impact rating and network attack vector warrant prompt patching for any application that surfaces Sort query parameters to end users.
Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered during parameter binding for repository methods annotated with @Query that use a capture-all placeholder. With CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) and no public exploit identified at time of analysis, unauthenticated attackers who can influence query parameters reaching such a method could execute arbitrary SpEL expressions on the server.
{7*7} which the server evaluates to 49. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Remote code execution in Offline Hospital Management System 5.3.0 stems from an insecure Electron renderer configuration where Node.js integration is enabled while context isolation is disabled, allowing JavaScript in the renderer to invoke Node.js APIs and run arbitrary OS commands. The flaw carries a CVSS 7.3 with network attack vector and no privileges required, though EPSS is low at 0.06% and no public exploit identified at time of analysis beyond a Medium write-up describing the technique.
Expression language injection in Beetl template engine versions up to 3.20.2 enables remote attackers to execute arbitrary expressions through the SpELFunction component. The vulnerability stems from improper neutralization of special elements in Spring Expression Language (SpEL) processing, with publicly available exploit code and no vendor response despite early notification. CVSS 7.3 indicates moderate severity with confirmed remote exploitability.
Filter-expression injection in Spring AI's MilvusVectorStore allows remote unauthenticated attackers to manipulate vector database queries by injecting malicious filter expressions through unsanitized document IDs. Affects Spring AI 1.0.0-1.0.6 and 1.1.0-1.1.5. VMware has released patches in versions 1.0.7 and 1.1.6. CVSS 8.6 (High) with network attack vector and no privileges required. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.
Expression language injection in Soagen Informatics' Apinizer API management platform versions 2026.04.0 through 2026.04.5 allows remote unauthenticated attackers to inject malicious EL expressions that the server evaluates, resulting in arbitrary code execution. The flaw was reported by Turkey's national CERT (TR-CERT) and carries a CVSS 9.8 critical rating, though SSVC currently indicates no observed exploitation and no public exploit identified at time of analysis. A vendor patch is available in version 2026.04.6.
Expression Language Injection in Spring Web Flow exposes applications explicitly configured with WebFlowELExpressionParser to evaluation of malicious Unified EL expressions submitted by authenticated low-privilege users. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; exploitation requires both non-default configuration and user interaction, which meaningfully constrains real-world risk despite the High confidentiality and integrity impact ratings. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Server-Side Expression Language (SpEL) injection in Spring Data REST allows authenticated remote attackers to execute arbitrary expressions by sending JSON Patch requests targeting Map-typed entity properties. Affected versions span 3.7.0 through 5.0.5, and successful exploitation yields high confidentiality and integrity impact (CVSS 8.1). No public exploit identified at time of analysis, but the low attack complexity and network reachability make this a credible threat to any exposed REST repository accepting application/json-patch+json.
SpEL (Spring Expression Language) injection in Spring Data KeyValue and Spring Data Redis allows a network-accessible, low-privileged attacker to execute arbitrary SpEL expressions when applications pass unsanitized user-controlled Sort parameters directly to repository query methods delegating to SpelPropertyComparator. Affected versions span eight major release lines from 2.7.x through 4.0.x, making the exposure surface broad across Spring-based Java ecosystems. No public exploit identified at time of analysis and no CISA KEV listing, but the high confidentiality impact rating and network attack vector warrant prompt patching for any application that surfaces Sort query parameters to end users.
Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered during parameter binding for repository methods annotated with @Query that use a capture-all placeholder. With CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) and no public exploit identified at time of analysis, unauthenticated attackers who can influence query parameters reaching such a method could execute arbitrary SpEL expressions on the server.
{7*7} which the server evaluates to 49. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Remote code execution in Offline Hospital Management System 5.3.0 stems from an insecure Electron renderer configuration where Node.js integration is enabled while context isolation is disabled, allowing JavaScript in the renderer to invoke Node.js APIs and run arbitrary OS commands. The flaw carries a CVSS 7.3 with network attack vector and no privileges required, though EPSS is low at 0.06% and no public exploit identified at time of analysis beyond a Medium write-up describing the technique.
Expression language injection in Beetl template engine versions up to 3.20.2 enables remote attackers to execute arbitrary expressions through the SpELFunction component. The vulnerability stems from improper neutralization of special elements in Spring Expression Language (SpEL) processing, with publicly available exploit code and no vendor response despite early notification. CVSS 7.3 indicates moderate severity with confirmed remote exploitability.
Filter-expression injection in Spring AI's MilvusVectorStore allows remote unauthenticated attackers to manipulate vector database queries by injecting malicious filter expressions through unsanitized document IDs. Affects Spring AI 1.0.0-1.0.6 and 1.1.0-1.1.5. VMware has released patches in versions 1.0.7 and 1.1.6. CVSS 8.6 (High) with network attack vector and no privileges required. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.