CWE-917
AllowedImproper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Abstraction: Base · Status: Incomplete
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
170 vulnerabilities reference this CWE, most recent first.
GHSA-FVH3-672C-7P6C
Vulnerability from github – Published: 2026-03-27 06:31 – Updated: 2026-05-13 13:44In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression key are affected.
This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.ai:spring-ai-vector-store"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.ai:spring-ai-vector-store"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.0-M1"
},
{
"fixed": "1.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22738"
],
"database_specific": {
"cwe_ids": [
"CWE-88",
"CWE-917",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-29T15:31:52Z",
"nvd_published_at": "2026-03-27T06:16:37Z",
"severity": "CRITICAL"
},
"details": "In Spring AI, a SpEL injection vulnerability exists in\u00a0SimpleVectorStore\u00a0when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code.\u00a0Only applications that use\u00a0SimpleVectorStore\u00a0and pass user-supplied input as a filter expression key are affected.\n\nThis issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.",
"id": "GHSA-fvh3-672c-7p6c",
"modified": "2026-05-13T13:44:15Z",
"published": "2026-03-27T06:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22738"
},
{
"type": "WEB",
"url": "https://github.com/spring-projects/spring-ai/commit/ba9220b22383e430d5f801ce8e4fa01cf9e75f29"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-projects/spring-ai"
},
{
"type": "WEB",
"url": "https://github.com/spring-projects/spring-ai/releases/tag/v1.0.5"
},
{
"type": "WEB",
"url": "https://github.com/spring-projects/spring-ai/releases/tag/v1.1.4"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2026-22738"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Spring AI: SpEL injection is triggered when a user-supplied value is used as a filter expression key"
}
GHSA-FWXX-WV44-7QFG
Vulnerability from github – Published: 2025-10-16 15:30 – Updated: 2026-02-19 22:00The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.
An application should be considered vulnerable when all the following are true:
- The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
- An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
- An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
- The actuator endpoints are available to attackers.
- The actuator endpoints are unsecured.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-gateway-server"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0"
},
{
"fixed": "4.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-gateway-server"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-gateway-server"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"last_affected": "4.1.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-gateway-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.1.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-41253"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-16T21:29:31Z",
"nvd_published_at": "2025-10-16T15:15:33Z",
"severity": "HIGH"
},
"details": "The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.\n\nAn application should be considered vulnerable when all the following are true:\n\n * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).\n * An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.\n * An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway\u00a0and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.\n * The actuator endpoints are available to attackers.\n * The actuator endpoints are unsecured.",
"id": "GHSA-fwxx-wv44-7qfg",
"modified": "2026-02-19T22:00:41Z",
"published": "2025-10-16T15:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41253"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-cloud/spring-cloud-gateway"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\u0026version=3.1"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve/2025-41253"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-41253"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Spring Cloud Gateway Server Webflux is vulnerable to Expression Language Injection"
}
GHSA-G2F6-V5QH-H2MQ
Vulnerability from github – Published: 2020-04-14 15:27 – Updated: 2025-10-22 17:49Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.sonatype.nexus:nexus-extdirect"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.21.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-10199"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": true,
"github_reviewed_at": "2020-04-14T15:26:13Z",
"nvd_published_at": "2020-04-01T19:15:00Z",
"severity": "HIGH"
},
"details": "Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).",
"id": "GHSA-g2f6-v5qh-h2mq",
"modified": "2025-10-22T17:49:49Z",
"published": "2020-04-14T15:27:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10199"
},
{
"type": "WEB",
"url": "https://cwe.mitre.org/data/definitions/917.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/sonatype/nexus-public"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2020-015-nxrm-sonatype"
},
{
"type": "WEB",
"url": "https://support.sonatype.com/hc/en-us/articles/360044882533"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10199"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/157261/Nexus-Repository-Manager-3.21.1-01-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/160835/Sonatype-Nexus-3.21.1-Remote-Code-Execution.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H",
"type": "CVSS_V3"
}
],
"summary": "Nexus Repository Manager 3 - Remote Code Execution "
}
GHSA-G4Q9-9X6G-WWH5
Vulnerability from github – Published: 2024-08-06 15:30 – Updated: 2024-08-06 15:30A vulnerability was found in DataGear up to 5.0.0. It has been declared as critical. Affected by this vulnerability is the function evaluateVariableExpression of the file ConversionSqlParamValueMapper.java of the component Data Schema Page. The manipulation leads to improper neutralization of special elements used in an expression language statement. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-273697 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-7552"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-06T15:15:42Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in DataGear up to 5.0.0. It has been declared as critical. Affected by this vulnerability is the function evaluateVariableExpression of the file ConversionSqlParamValueMapper.java of the component Data Schema Page. The manipulation leads to improper neutralization of special elements used in an expression language statement. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-273697 was assigned to this vulnerability.",
"id": "GHSA-g4q9-9x6g-wwh5",
"modified": "2024-08-06T15:30:54Z",
"published": "2024-08-06T15:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7552"
},
{
"type": "WEB",
"url": "https://gitee.com/datagear/datagear/issues/IAF3H7"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.273697"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.273697"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.386413"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G834-V6MC-99MW
Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2022-05-13 01:11Sonatype Nexus Repository Manager before 3.14 allows Java Expression Language Injection.
{
"affected": [],
"aliases": [
"CVE-2018-16621"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-15T20:29:00Z",
"severity": "HIGH"
},
"details": "Sonatype Nexus Repository Manager before 3.14 allows Java Expression Language Injection.",
"id": "GHSA-g834-v6mc-99mw",
"modified": "2022-05-13T01:11:29Z",
"published": "2022-05-13T01:11:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16621"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2020-015-nxrm-sonatype"
},
{
"type": "WEB",
"url": "https://support.sonatype.com/hc/en-us/articles/360010789153-CVE-2018-16621-Nexus-Repository-Manager-Java-Injection-October-17-2018"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GCFH-36X4-MGJ6
Vulnerability from github – Published: 2025-09-26 00:31 – Updated: 2025-09-26 15:14An issue was discovered in chinabugotech hutool before 5.8.40 allowing attackers to execute arbitrary expressions that lead to arbitrary method invocation and potentially remote code execution (RCE) via the QLExpressEngine class.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "cn.hutool:hutool-extra"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.8.40"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-56769"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-26T15:14:58Z",
"nvd_published_at": "2025-09-25T23:15:54Z",
"severity": "HIGH"
},
"details": "An issue was discovered in chinabugotech hutool before 5.8.40 allowing attackers to execute arbitrary expressions that lead to arbitrary method invocation and potentially remote code execution (RCE) via the QLExpressEngine class.",
"id": "GHSA-gcfh-36x4-mgj6",
"modified": "2025-09-26T15:14:58Z",
"published": "2025-09-26T00:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-56769"
},
{
"type": "WEB",
"url": "https://github.com/chinabugotech/hutool/issues/3994"
},
{
"type": "WEB",
"url": "https://github.com/chinabugotech/hutool/commit/3d0d8dea4bc2fac2e9b45dc67244195f30e42e4b"
},
{
"type": "PACKAGE",
"url": "https://github.com/chinabugotech/hutool"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Hutool allows remote code execution (RCE) via the QLExpressEngine class"
}
GHSA-GFX9-MHX4-MJM2
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A ictexpertdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-7180"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "HIGH"
},
"details": "A ictexpertdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-gfx9-mhx4-mjm2",
"modified": "2022-05-24T17:31:19Z",
"published": "2022-05-24T17:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7180"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GGVQ-C6FV-8CC8
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A faultparasset expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-7152"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "CRITICAL"
},
"details": "A faultparasset expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-ggvq-c6fv-8cc8",
"modified": "2022-05-24T17:31:17Z",
"published": "2022-05-24T17:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7152"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GMRC-MXJG-856R
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A devsoftsel expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-7191"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "HIGH"
},
"details": "A devsoftsel expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-gmrc-mxjg-856r",
"modified": "2022-05-24T17:31:20Z",
"published": "2022-05-24T17:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7191"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GX22-P97P-J9PR
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A comparefilesresult expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-7144"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "CRITICAL"
},
"details": "A comparefilesresult expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-gx22-p97p-j9pr",
"modified": "2022-05-24T17:31:15Z",
"published": "2022-05-24T17:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7144"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Avoid adding user-controlled data into an expression interpreter when possible.
Mitigation
- If user-controlled data must be added to an expression interpreter, one or more of the following should be performed:
- Validate that the user input will not evaluate as an expression
- Encode the user input in a way that ensures it is not evaluated as an expression
Mitigation
The framework or tooling might allow the developer to disable or deactivate the processing of EL expressions, such as setting the isELIgnored attribute for a JSP page to "true".
No CAPEC attack patterns related to this CWE.