CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

174 vulnerabilities with CWE-917
CVE-2025-11175
Mediawiki - DiscussionTools Extension <1.44-1.43 - Code Injection
CVE-2025-41253 HIGH
Spring Cloud Gateway Server Webflux - Info Disclosure
CVSS 7.5
CVE-2025-41243 CRITICAL
Spring Cloud Gateway Server Webflux - Info Disclosure
CVSS 10.0
CVE-2025-3322
Product - Code Injection
CVE-2024-51466 CRITICAL
IBM Cognos Analytics <11.2.4 FP4-12.0.4 - Code Injection
CVSS 9.0
CVE-2024-12798
JaninoEventEvaluator <1.3.14, <1.5.12 - RCE
CVE-2024-9672 MEDIUM
Papercut MF < 24.1.1 - XSS
CVSS 5.4
CVE-2024-7552 MEDIUM
DataGear <5.0.0 - Improper Neutralization
CVSS 6.3
CVE-2024-5828 HIGH
Hitachi Tuning Manager <8.8.7-00 - Code Injection
CVSS 8.6
CVE-2024-4286 MEDIUM
Mintplex-Labs' anything-llm - Info Disclosure
CVSS 4.9
CVE-2023-51593 CRITICAL
Voltronic Power ViewPower Pro - RCE
CVSS 9.8
CVE-2024-0715 HIGH
Hitachi Global Link Manager <8.8.7-03 - Code Injection
CVSS 7.6
CVE-2023-42658 HIGH
Chef InSpec <4.56.58, 5.22.29 - Command Injection
CVSS 8.8
CVE-2023-41331 CRITICAL
SOFARPC <5.11.0 - Command Injection
CVSS 9.8
CVE-2022-4146 HIGH
Hitachi Replication Manager <8.8.5-02 - Code Injection
CVSS 7.3
CVE-2022-45855 HIGH
Apache Ambari <2.7.7 - RCE
CVSS 8.0
CVE-2022-42009 HIGH
Apache Ambari <2.7.7 - RCE
CVSS 8.0
CVE-2023-32200 HIGH
Apache Jena <4.8.0 - RCE
CVSS 8.8
CVE-2023-22665 MEDIUM
Apache Jena <4.7.0 - XSS
CVSS 5.4
CVE-2023-20863 MEDIUM
Vmware Spring Framework < 5.2.24 - Denial of Service
CVSS 6.5
CVE-2023-27821 CRITICAL
Databasir - Remote Code Execution
CVSS 9.8
CVE-2023-26092 CRITICAL
Liima <1.17.28 - SSRF
CVSS 9.8
CVE-2022-23504 MEDIUM
Typo3 < 9.5.38 - Information Disclosure
CVSS 5.7
CVE-2022-23463 CRITICAL
Nepxion Discovery < 6.16.2 - Remote Code Execution
CVSS 9.4
CVE-2022-34466 MEDIUM
Mendix 9 >=V9.11<V9.15,Mendix 9 V9.12 <V9.12.3 - Info Disclosure
CVSS 6.5
Details
Vulnerabilities 174
Links
MITRE CWE Entry Search this CWE With Exploits