CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

196 vulnerabilities with CWE-917
CVE-2026-11561 CRITICAL
SSTI in Soagen Informatics' Apinizer
CVSS 9.8
CVE-2026-40985 MEDIUM
Spring Web Flow 2.5.0-2.5.1, 3.0.0-3.0.1, 4.0.0 - Unified EL Injection
CVSS 6.4
CVE-2026-41729 HIGH
Spring Data REST SpEL Injection via Map Key in JSON Patch
CVSS 8.1
CVE-2026-41719 MEDIUM
Spring Data KeyValue and Redis - SpEL Injection in SpelPropertyComparator
CVSS 6.4
CVE-2026-41717 HIGH
Spring Data MongoDB - SpEL Expression Injection via Annotated Query Parameter Binding
CVSS 8.1
CVE-2026-8888 HIGH
Securly Chrome Extension < 3.0.7 - Denial of Service
CVSS 7.5
CVE-2026-2587 CRITICAL
Eclipse Glassfish - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVSS 9.6
CVE-2026-2586 CRITICAL
Eclipse Glassfish - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVSS 9.1
CVE-2026-31380 MEDIUM
Apache OFBiz: FreeMarker SSTI via Duplicate Parameter Sanitization Bypass
CVSS 6.5
CVE-2026-26462 HIGH
Offline Hospital Management System 5.3.0 - Remote Code Execution
CVSS 7.3
CVE-2026-8759 HIGH
xiandafu beetl SpELFunction SpELFunction.java expression language injection
CVSS 7.3
CVE-2026-41901 CRITICAL
Thymeleaf: Improper recognition of unauthorized syntax patterns in sandboxed Thymeleaf expressions
CVSS 9.0
CVE-2026-41705 HIGH
Spring AI - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVSS 8.6
CVE-2026-41883 HIGH
OmniFaces: EL injection via crafted resource name in wildcard CDN mapping
CVSS 8.1
CVE-2026-28201 HIGH
SurrealDB Injection on Open Notebook
CVSS 7.8
CVE-2026-42811 CRITICAL
Apache Polaris: could broaden vended GCS credentials through unescaped identifier content in access-boundary CEL conditions
CVSS 9.9
CVE-2026-40478 CRITICAL
Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf
CVSS 9.0
CVE-2026-40477 CRITICAL
Improper restriction of the scope of accessible objects in Thymeleaf expressions
CVSS 9.0
CVE-2026-39842 CRITICAL
OpenRemote is Vulnerable to Expression Injection
CVSS 9.9
CVE-2026-22738 CRITICAL
SpEL Injection via Unescaped Filter Key in SimpleVectorStore Leads to Remote Code Execution
CVSS 9.8
CVE-2026-22729 HIGH
CVE-2026-22729: JSONPath Injection in Spring AI Vector Stores FilterExpressionConverter
CVSS 8.6
CVE-2026-24713 CRITICAL
Apache IoTDB 1.0.0-1.3.6/2.0.0-2.0.6 - Input Validation
CVSS 9.8
CVE-2025-11175 HIGH
Mediawiki - DiscussionTools Extension <1.44-1.43 - Code Injection
CVE-2025-41253 HIGH
Spring Cloud Gateway Server Webflux - Info Disclosure
CVSS 7.5
CVE-2025-41243 CRITICAL
Spring Cloud Gateway Server Webflux - Info Disclosure
CVSS 10.0
Details
Vulnerabilities 196
Links
MITRE CWE Entry Search this CWE With Exploits