Common Weakness Enumeration

CWE-917

Allowed

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Abstraction: Base · Status: Incomplete

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

170 vulnerabilities reference this CWE, most recent first.

GHSA-28C5-5MQ5-93W2

Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31
VLAI
Details

A faulttrapgroupselect expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7151"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-19T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A faulttrapgroupselect expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
  "id": "GHSA-28c5-5mq5-93w2",
  "modified": "2022-05-24T17:31:16Z",
  "published": "2022-05-24T17:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7151"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-29Q4-GXJQ-RX5C

Vulnerability from github – Published: 2021-02-10 02:31 – Updated: 2021-02-10 01:48
VLAI
Summary
Remote Code Execution in SCIMono
Details

Impact

It is possible for attacker to inject and execute java expression and compromising the availability and integrity of the system.

Patches

The issue was fixed on 0.0.19 version

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.sap.scimono:scimono-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21479"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-62",
      "CWE-690",
      "CWE-74",
      "CWE-77",
      "CWE-917"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-02-10T01:48:45Z",
    "nvd_published_at": "2021-02-09T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nIt is possible for attacker to inject and execute java expression and compromising the availability and integrity of the system.\n\n### Patches\nThe issue was fixed on  [0.0.19 version](https://mvnrepository.com/artifact/com.sap.scimono/scimono-server/0.0.19)",
  "id": "GHSA-29q4-gxjq-rx5c",
  "modified": "2021-02-10T01:48:45Z",
  "published": "2021-02-10T02:31:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SAP/scimono/security/advisories/GHSA-29q4-gxjq-rx5c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21479"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SAP/scimono/commit/413b5d75fa94e77876af0e47be76475a23745b80"
    },
    {
      "type": "WEB",
      "url": "https://mvnrepository.com/artifact/com.sap.scimono/scimono-server/0.0.19"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Remote Code Execution in SCIMono"
}

GHSA-29WV-CV7P-XJC2

Vulnerability from github – Published: 2026-05-19 15:31 – Updated: 2026-06-04 19:21
VLAI
Summary
GlassFish's gadget handler is vulnerable to RCE
Details

A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.glassfish.main.admingui:admingui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.glassfish.jsftemplating:jsftemplating"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-2587"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-04T19:21:21Z",
    "nvd_published_at": "2026-05-19T15:16:28Z",
    "severity": "CRITICAL"
  },
  "details": "A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) \u201cexpressions\u201d are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement.",
  "id": "GHSA-29wv-cv7p-xjc2",
  "modified": "2026-06-04T19:21:21Z",
  "published": "2026-05-19T15:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2587"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eclipse-ee4j/glassfish"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-ee4j/glassfish/releases/tag/8.0.2"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/86"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GlassFish\u0027s gadget handler is vulnerable to RCE"
}

GHSA-2C6Q-RGVJ-66RX

Vulnerability from github – Published: 2022-05-02 03:23 – Updated: 2024-01-23 18:19
VLAI
Summary
Apache Tiles Vulnerable to XSS via EL Expression Injection
Details

Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) tiles:putAttribute and (2) tiles:insertTemplate JSP tags.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tiles:tiles-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1"
            },
            {
              "fixed": "2.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2009-1275"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-87",
      "CWE-917"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-23T18:19:44Z",
    "nvd_published_at": "2009-04-09T15:08:00Z",
    "severity": "MODERATE"
  },
  "details": "Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) `tiles:putAttribute` and (2) `tiles:insertTemplate` JSP tags.",
  "id": "GHSA-2c6q-rgvj-66rx",
  "modified": "2024-01-23T18:19:44Z",
  "published": "2022-05-02T03:23:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1275"
    },
    {
      "type": "WEB",
      "url": "http://svn.apache.org/viewvc/tiles/framework/trunk/src/site/apt/security/security-bulletin-1.apt?revision=741913"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Apache Tiles Vulnerable to XSS via EL Expression Injection"
}

GHSA-2J83-QWG6-584R

Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31
VLAI
Details

A viewbatchtaskresultdetailfact expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7184"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-19T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A viewbatchtaskresultdetailfact expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
  "id": "GHSA-2j83-qwg6-584r",
  "modified": "2022-05-24T17:31:20Z",
  "published": "2022-05-24T17:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7184"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2JHX-QQH2-9Q63

Vulnerability from github – Published: 2026-01-30 21:30 – Updated: 2026-01-30 21:30
VLAI
Details

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup.This issue affects Mediawiki - DiscussionTools Extension: 1.44, 1.43.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-30T20:16:40Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027) vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup.This issue affects Mediawiki - DiscussionTools Extension: 1.44, 1.43.",
  "id": "GHSA-2jhx-qqh2-9q63",
  "modified": "2026-01-30T21:30:22Z",
  "published": "2026-01-30T21:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11175"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.wikimedia.org/r/q/I126203ab1d3ec8c1719cbb5460a887e4d0c2cc6d"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.wikimedia.org/r/q/I563219f3298a8740e158d130492bf3d2897784d7"
    },
    {
      "type": "WEB",
      "url": "https://phabricator.wikimedia.org/T364910"
    },
    {
      "type": "WEB",
      "url": "https://phabricator.wikimedia.org/T396248"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2VP2-4CQW-XHCC

Vulnerability from github – Published: 2024-02-20 03:30 – Updated: 2025-02-12 18:31
VLAI
Details

Expression Language Injection vulnerability in Hitachi Global Link Manager on Windows allows Code Injection.This issue affects Hitachi Global Link Manager: before 8.8.7-03.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0715"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-20T02:15:49Z",
    "severity": "HIGH"
  },
  "details": "Expression Language Injection vulnerability in Hitachi Global Link Manager on Windows allows Code Injection.This issue affects Hitachi Global Link Manager: before 8.8.7-03.",
  "id": "GHSA-2vp2-4cqw-xhcc",
  "modified": "2025-02-12T18:31:27Z",
  "published": "2024-02-20T03:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0715"
    },
    {
      "type": "WEB",
      "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-112/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3GX9-37WW-9QW6

Vulnerability from github – Published: 2022-03-04 00:00 – Updated: 2022-08-11 21:37
VLAI
Summary
Spring Cloud Gateway vulnerable to Code Injection when Gateway Actuator endpoint enabled, exposed, unsecured
Details

In Spring Cloud Gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed, and unsecured. A remote attacker could make a maliciously crafted request resulting in arbitrary remote execution on the remote host.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-gateway"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-gateway"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-22947"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-04T21:06:22Z",
    "nvd_published_at": "2022-03-03T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In Spring Cloud Gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed, and unsecured. A remote attacker could make a maliciously crafted request resulting in arbitrary remote execution on the remote host.",
  "id": "GHSA-3gx9-37ww-9qw6",
  "modified": "2022-08-11T21:37:05Z",
  "published": "2022-03-04T00:00:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22947"
    },
    {
      "type": "WEB",
      "url": "https://tanzu.vmware.com/security/cve-2022-22947"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/166219/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/168742/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Spring Cloud Gateway vulnerable to Code Injection when Gateway Actuator endpoint enabled, exposed, unsecured"
}

GHSA-3HX6-FQPJ-XFJR

Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-11-08 12:55
VLAI
Summary
RichFaces vulnerable to Expression Language Injection
Details

JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource's resource request, aka RF-14309.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.richfaces:richfaces-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.5.3.Final"
            },
            {
              "last_affected": "4.5.17.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-12532"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-08T12:55:35Z",
    "nvd_published_at": "2018-06-18T12:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource\u0027s resource request, aka RF-14309.",
  "id": "GHSA-3hx6-fqpj-xfjr",
  "modified": "2022-11-08T12:55:35Z",
  "published": "2022-05-13T01:19:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12532"
    },
    {
      "type": "WEB",
      "url": "https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2020/Mar/21"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RichFaces vulnerable to Expression Language Injection"
}

GHSA-3JPC-997V-X927

Vulnerability from github – Published: 2022-07-13 00:01 – Updated: 2022-07-21 00:00
VLAI
Details

A vulnerability has been identified in Mendix Applications using Mendix 9 (All versions >= V9.11 < V9.15), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.3). An expression injection vulnerability was discovered in the Workflow subsystem of Mendix Runtime, that can affect the running applications. The vulnerability could allow a malicious user to leak sensitive information in a certain configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34466"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-917"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-12T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in Mendix Applications using Mendix 9 (All versions \u003e= V9.11 \u003c V9.15), Mendix Applications using Mendix 9 (V9.12) (All versions \u003c V9.12.3). An expression injection vulnerability was discovered in the Workflow subsystem of Mendix Runtime, that can affect the running applications. The vulnerability could allow a malicious user to leak sensitive information in a certain configuration.",
  "id": "GHSA-3jpc-997v-x927",
  "modified": "2022-07-21T00:00:31Z",
  "published": "2022-07-13T00:01:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34466"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-492173.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Avoid adding user-controlled data into an expression interpreter when possible.

Mitigation
Implementation
  • If user-controlled data must be added to an expression interpreter, one or more of the following should be performed:
  • Validate that the user input will not evaluate as an expression
  • Encode the user input in a way that ensures it is not evaluated as an expression
Mitigation
System Configuration Operation

The framework or tooling might allow the developer to disable or deactivate the processing of EL expressions, such as setting the isELIgnored attribute for a JSP page to "true".

No CAPEC attack patterns related to this CWE.