CWE-917
AllowedImproper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Abstraction: Base · Status: Incomplete
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
170 vulnerabilities reference this CWE, most recent first.
GHSA-Q234-CXPJ-MGPQ
Vulnerability from github – Published: 2024-12-10 00:31 – Updated: 2025-01-30 15:31A reflected cross-site scripting (XSS) vulnerability exists in PaperCut NG/MF. This issue can be used to execute specially created JavaScript payloads in the browser. A user must click on a malicious link for this issue to occur.
{
"affected": [],
"aliases": [
"CVE-2024-9672"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-10T00:15:22Z",
"severity": "MODERATE"
},
"details": "A reflected cross-site scripting (XSS) vulnerability exists in PaperCut NG/MF. This issue can be used to execute specially created JavaScript payloads in the browser. A user must click on a malicious link for this issue to occur.",
"id": "GHSA-q234-cxpj-mgpq",
"modified": "2025-01-30T15:31:36Z",
"published": "2024-12-10T00:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9672"
},
{
"type": "WEB",
"url": "https://www.papercut.com/kb/Main/security-bulletin-december-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q6H6-58J2-2F5M
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data.
{
"affected": [],
"aliases": [
"CVE-2020-26565"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-31T17:15:00Z",
"severity": "HIGH"
},
"details": "ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data.",
"id": "GHSA-q6h6-58j2-2f5m",
"modified": "2022-05-24T19:09:28Z",
"published": "2022-05-24T19:09:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26565"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/163708/ObjectPlanet-Opinio-7.13-Expression-Language-Injection.html"
},
{
"type": "WEB",
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q7XG-FWXG-6R7W
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A ictexpertcsvdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-7169"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "CRITICAL"
},
"details": "A ictexpertcsvdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-q7xg-fwxg-6r7w",
"modified": "2022-05-24T17:31:17Z",
"published": "2022-05-24T17:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7169"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q979-9M39-23MQ
Vulnerability from github – Published: 2022-09-25 00:00 – Updated: 2022-09-28 03:30Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes such as java.lang.Runtime, leading to Remote Code Execution. There is no patch available for this issue at time of publication. There are no known workarounds.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.nepxion:discovery"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "6.16.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23463"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-28T03:30:11Z",
"nvd_published_at": "2022-09-24T05:15:00Z",
"severity": "CRITICAL"
},
"details": "Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver\u2019s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes such as java.lang.Runtime, leading to Remote Code Execution. There is no patch available for this issue at time of publication. There are no known workarounds.",
"id": "GHSA-q979-9m39-23mq",
"modified": "2022-09-28T03:30:11Z",
"published": "2022-09-25T00:00:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23463"
},
{
"type": "PACKAGE",
"url": "https://github.com/Nepxion/Discovery"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2022-033_GHSL-2022-034_Discovery"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Nepxion Discovery vulnerable to SpEL Injection leading to Remote Code Execution"
}
GHSA-QCMR-2XXW-7GQQ
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A powershellconfigcontent expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-7186"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "HIGH"
},
"details": "A powershellconfigcontent expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-qcmr-2xxw-7gqq",
"modified": "2022-05-24T17:31:20Z",
"published": "2022-05-24T17:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7186"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QXJV-7MH6-335F
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A select expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-7155"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "CRITICAL"
},
"details": "A select expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-qxjv-7mh6-335f",
"modified": "2022-05-24T17:31:16Z",
"published": "2022-05-24T17:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7155"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QXQ7-9XFQ-JP7X
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A deployselectsoftware expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-7148"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "CRITICAL"
},
"details": "A deployselectsoftware expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-qxq7-9xfq-jp7x",
"modified": "2022-05-24T17:31:15Z",
"published": "2022-05-24T17:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7148"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R4V4-5MWR-2FWR
Vulnerability from github – Published: 2026-04-15 19:46 – Updated: 2026-04-24 20:51Impact
A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI).
Patches
This has been fixed in Thymeleaf 3.1.4.RELEASE.
Workarounds
No workaround is available beyond ensuring applications do not pass unvalidated user input directly to the template engine. Upgrading to 3.1.4.RELEASE is strongly recommended in any case.
Credits
Thanks to Thomas Reburn (Praetorian) for responsible disclosure.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.3.RELEASE"
},
"package": {
"ecosystem": "Maven",
"name": "org.thymeleaf:thymeleaf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.4.RELEASE"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.3.RELEASE"
},
"package": {
"ecosystem": "Maven",
"name": "org.thymeleaf:thymeleaf-spring5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.4.RELEASE"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.3.RELEASE"
},
"package": {
"ecosystem": "Maven",
"name": "org.thymeleaf:thymeleaf-spring6"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.4.RELEASE"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40477"
],
"database_specific": {
"cwe_ids": [
"CWE-1336",
"CWE-917"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-15T19:46:04Z",
"nvd_published_at": "2026-04-17T22:16:33Z",
"severity": "CRITICAL"
},
"details": "### Impact\nA security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library\u0027s protections to achieve Server-Side Template Injection (SSTI).\n\n### Patches\nThis has been fixed in Thymeleaf 3.1.4.RELEASE.\n\n### Workarounds\nNo workaround is available beyond ensuring applications do not pass unvalidated user input directly to the template engine. Upgrading to 3.1.4.RELEASE is strongly recommended in any case.\n\n\n### Credits\nThanks to Thomas Reburn (Praetorian) for responsible disclosure.",
"id": "GHSA-r4v4-5mwr-2fwr",
"modified": "2026-04-24T20:51:36Z",
"published": "2026-04-15T19:46:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40477"
},
{
"type": "PACKAGE",
"url": "https://github.com/thymeleaf/thymeleaf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper restriction of the scope of accessible objects in Thymeleaf expressions"
}
GHSA-R6FV-QMRC-3H24
Vulnerability from github – Published: 2022-05-17 00:25 – Updated: 2025-10-22 03:30JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.
{
"affected": [],
"aliases": [
"CVE-2010-1871"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-08-05T13:23:00Z",
"severity": "MODERATE"
},
"details": "JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.",
"id": "GHSA-r6fv-qmrc-3h24",
"modified": "2025-10-22T03:30:28Z",
"published": "2022-05-17T00:25:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1871"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=615956"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/60794"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20161017-0001"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-1871"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-05/0117.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0564.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/41994"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1024253"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/1929"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R6MX-6MVG-8GR2
Vulnerability from github – Published: 2022-05-13 01:16 – Updated: 2022-05-13 01:16Input validation issue in POWER EGG(Ver 2.0.1, Ver 2.02 Patch 3 and earlier, Ver 2.1 Patch 4 and earlier, Ver 2.2 Patch 7 and earlier, Ver 2.3 Patch 9 and earlier, Ver 2.4 Patch 13 and earlier, Ver 2.5 Patch 12 and earlier, Ver 2.6 Patch 8 and earlier, Ver 2.7 Patch 6 and earlier, Ver 2.7 Government Edition Patch 7 and earlier, Ver 2.8 Patch 6 and earlier, Ver 2.8c Patch 5 and earlier, Ver 2.9 Patch 4 and earlier) allows remote attackers to execute EL expression on the server via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2019-5916"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-13T18:29:00Z",
"severity": "CRITICAL"
},
"details": "Input validation issue in POWER EGG(Ver 2.0.1, Ver 2.02 Patch 3 and earlier, Ver 2.1 Patch 4 and earlier, Ver 2.2 Patch 7 and earlier, Ver 2.3 Patch 9 and earlier, Ver 2.4 Patch 13 and earlier, Ver 2.5 Patch 12 and earlier, Ver 2.6 Patch 8 and earlier, Ver 2.7 Patch 6 and earlier, Ver 2.7 Government Edition Patch 7 and earlier, Ver 2.8 Patch 6 and earlier, Ver 2.8c Patch 5 and earlier, Ver 2.9 Patch 4 and earlier) allows remote attackers to execute EL expression on the server via unspecified vectors.",
"id": "GHSA-r6mx-6mvg-8gr2",
"modified": "2022-05-13T01:16:21Z",
"published": "2022-05-13T01:16:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5916"
},
{
"type": "WEB",
"url": "https://poweregg.d-circle.com/support/package/important/20190204_000780"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN63860183/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Avoid adding user-controlled data into an expression interpreter when possible.
Mitigation
- If user-controlled data must be added to an expression interpreter, one or more of the following should be performed:
- Validate that the user input will not evaluate as an expression
- Encode the user input in a way that ensures it is not evaluated as an expression
Mitigation
The framework or tooling might allow the developer to disable or deactivate the processing of EL expressions, such as setting the isELIgnored attribute for a JSP page to "true".
No CAPEC attack patterns related to this CWE.