CVE-2026-8759
HIGHxiandafu beetl SpELFunction SpELFunction.java expression language injection
Title source: cnaDescription
A vulnerability was identified in xiandafu beetl up to 3.20.2. Affected is an unknown function of the file beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java of the component SpELFunction. The manipulation leads to improper neutralization of special elements used in an expression language statement. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
References (5)
Core 5
Core References
Vdb Entry vdb-entry
VDB-364386 | xiandafu beetl SpELFunction SpELFunction.java expression language injection
https://vuldb.com/vuln/364386
Signature, Permissions Required signature
permissions-required
VDB-364386 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/vuln/364386/cti
Third Party Advisory third-party-advisory
Submit #811316 | Beetl <= 3.20.2.RELEASE Code Injection
https://vuldb.com/submit/811316
Exploit broken-link
exploit
issue-tracking
https://gitee.com/xiandafu/beetl/issues/IIYAWC
Broken Link, Product broken-link
product
https://gitee.com/xiandafu/beetl/
Scores
CVSS v3
7.3
EPSS
0.0041
EPSS Percentile
32.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-20
CWE-917
Status
published
Products (4)
com.ibeetl/beetl-spring-classic
0 - 3.20.2.RELEASEMaven
xiandafu/beetl
3.20.0
xiandafu/beetl
3.20.1
xiandafu/beetl
3.20.2
Published
May 17, 2026
Tracked Since
May 17, 2026