Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-917 (表达式语言语句中使用的特殊元素转义处理不恰当(表达式语言注入)) — Vulnerability Class 26

26 vulnerabilities classified as CWE-917 (表达式语言语句中使用的特殊元素转义处理不恰当(表达式语言注入)). AI Chinese analysis included.

CWE-917 represents a critical input validation weakness where software constructs expression language statements, such as those in Java Server Pages, using untrusted external input without proper sanitization. Attackers typically exploit this vulnerability by injecting malicious code snippets into user-controlled fields, allowing them to manipulate the intended logic of the expression language. This injection can lead to severe consequences, including remote code execution, data theft, or unauthorized system access, as the application executes the attacker’s modified commands instead of the original developer intent. To prevent this, developers must strictly validate and neutralize all special elements within expression language statements before execution. Implementing allow-lists for acceptable inputs, utilizing parameterized expressions where possible, and employing robust input filtering mechanisms are essential strategies to ensure that external data cannot alter the structural integrity of the expression language, thereby mitigating the risk of injection attacks.

MITRE CWE Description
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. Frameworks such as Java Server Page (JSP) allow a developer to insert executable expressions within otherwise-static content. When the developer is not aware of the executable nature of these expressions and/or does not disable them, then if an attacker can inject expressions, this could lead to code execution or other unexpected behaviors.
Common Consequences (2)
ConfidentialityRead Application Data
IntegrityExecute Unauthorized Code or Commands
Mitigations (3)
Architecture and DesignAvoid adding user-controlled data into an expression interpreter when possible.
ImplementationIf user-controlled data must be added to an expression interpreter, one or more of the following should be performed: Validate that the user input will not evaluate as an expression Encode the user input in a way that ensures it is not evaluated as an expression
System Configuration, OperationThe framework or tooling might allow the developer to disable or deactivate the processing of EL expressions, such as setting the isELIgnored attribute for a JSP page to "true".
CVE IDTitleCVSSSeverityPublished
CVE-2026-41705 Spring AI MilvusVectorStore 注入漏洞影响 1.0.x-1.1.x — Spring AI 8.6 High2026-05-09
CVE-2026-41883 OmniFaces: EL injection via crafted resource name in wildcard CDN mapping — omnifaces 8.1 High2026-05-08
CVE-2026-42811 Apache Polaris: could broaden vended GCS credentials through unescaped identifier content in access-boundary CEL conditions — Apache Polaris 9.9 Critical2026-05-04
CVE-2026-40478 Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf — thymeleaf 9.1 Critical2026-04-17
CVE-2026-40477 Improper restriction of the scope of accessible objects in Thymeleaf expressions — thymeleaf 9.1 Critical2026-04-17
CVE-2025-11175 DiscussionTools should use better regex — Mediawiki - DiscussionTools Extension 7.5AIHighAI2026-01-30
CVE-2025-41253 Spring Cloud Gateway Webflux SpEL Injection Vulnerability Allowing Exposure of Environment Variables — Spring Cloud Gateway Server Webflux 7.5 High2025-10-16
CVE-2025-41243 Spring Expression Language property modification using Spring Cloud Gateway Server WebFlux — Cloud Gateway 10.0 Critical2025-09-16
CVE-2025-3322 Improper Neutralization of Special Elements in OnlineSuite — OnlineSuite 9.8AICriticalAI2025-06-06
CVE-2024-51466 IBM Cognos Analytics expression language injection — Cognos Analytics 9.0 Critical2024-12-20
CVE-2024-12798 JaninoEventEvaluator vulnerability — Logback-core 8.4 -2024-12-19
CVE-2024-9672 Reflected XSS in PaperCut MF — PaperCut MF 6.1 -2024-12-09
CVE-2024-7552 DataGear Data Schema Page ConversionSqlParamValueMapper.java evaluateVariableExpression expression language injection — DataGear 6.3 Medium2024-08-06
CVE-2024-5828 EL Injection Vulnerability in Hitachi Tuning Manager — Hitachi Tuning Manager 8.6 High2024-08-06
CVE-2024-4286 Improper Neutralization of Special Elements in mintplex-labs/anything-llm — mintplex-labs/anything-llm 6.5 -2024-05-26
CVE-2023-51593 Voltronic Power ViewPower Pro Expression Language Injection Remote Code Execution Vulnerability — ViewPower Pro 9.8 -2024-05-03
CVE-2024-0715 EL Injection Vulnerability in Hitachi Global Link Manager — Hitachi Global Link Manager 7.6 High2024-02-20
CVE-2023-41331 SOFARPC Remote Command Execution (RCE) Vulnerability — sofa-rpc 9.8 Critical2023-09-12
CVE-2022-4146 EL Injection Vulnerability in Hitachi Replication Manager — Hitachi Replication Manager 7.3 High2023-07-18
CVE-2022-45855 Apache Ambari: Allows authenticated metrics consumers to perform RCE — Apache Ambari 8.0 High2023-07-12
CVE-2022-42009 Apache Ambari: A malicious authenticated user can remotely execute arbitrary code in the context of the application. — Apache Ambari 8.0 High2023-07-12
CVE-2023-32200 Apache Jena: Exposure of execution in script engine expressions. — Apache Jena 4.6 -2023-07-12
CVE-2023-22665 Apache Jena: Exposure of arbitrary execution in script engine expressions. — Apache Jena 6.1 -2023-04-25
CVE-2022-23463 SpEL Injection in Nepxion Discovery — Discover 9.4 Critical2022-09-24
CVE-2021-31805 Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE. — Apache Struts 9.8 -2022-04-12
CVE-2021-45046 Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack — Apache Log4j 9.0 -2021-12-14

Vulnerabilities classified as CWE-917 (表达式语言语句中使用的特殊元素转义处理不恰当(表达式语言注入)) represent 26 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.