CWE-917
AllowedImproper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Abstraction: Base · Status: Incomplete
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
170 vulnerabilities reference this CWE, most recent first.
GHSA-28C5-5MQ5-93W2
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A faulttrapgroupselect expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-7151"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "CRITICAL"
},
"details": "A faulttrapgroupselect expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-28c5-5mq5-93w2",
"modified": "2022-05-24T17:31:16Z",
"published": "2022-05-24T17:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7151"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-29Q4-GXJQ-RX5C
Vulnerability from github – Published: 2021-02-10 02:31 – Updated: 2021-02-10 01:48Impact
It is possible for attacker to inject and execute java expression and compromising the availability and integrity of the system.
Patches
The issue was fixed on 0.0.19 version
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.sap.scimono:scimono-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21479"
],
"database_specific": {
"cwe_ids": [
"CWE-59",
"CWE-62",
"CWE-690",
"CWE-74",
"CWE-77",
"CWE-917"
],
"github_reviewed": true,
"github_reviewed_at": "2021-02-10T01:48:45Z",
"nvd_published_at": "2021-02-09T21:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nIt is possible for attacker to inject and execute java expression and compromising the availability and integrity of the system.\n\n### Patches\nThe issue was fixed on [0.0.19 version](https://mvnrepository.com/artifact/com.sap.scimono/scimono-server/0.0.19)",
"id": "GHSA-29q4-gxjq-rx5c",
"modified": "2021-02-10T01:48:45Z",
"published": "2021-02-10T02:31:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SAP/scimono/security/advisories/GHSA-29q4-gxjq-rx5c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21479"
},
{
"type": "WEB",
"url": "https://github.com/SAP/scimono/commit/413b5d75fa94e77876af0e47be76475a23745b80"
},
{
"type": "WEB",
"url": "https://mvnrepository.com/artifact/com.sap.scimono/scimono-server/0.0.19"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Remote Code Execution in SCIMono"
}
GHSA-29WV-CV7P-XJC2
Vulnerability from github – Published: 2026-05-19 15:31 – Updated: 2026-06-04 19:21A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.glassfish.main.admingui:admingui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.glassfish.jsftemplating:jsftemplating"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-2587"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-04T19:21:21Z",
"nvd_published_at": "2026-05-19T15:16:28Z",
"severity": "CRITICAL"
},
"details": "A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) \u201cexpressions\u201d are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement.",
"id": "GHSA-29wv-cv7p-xjc2",
"modified": "2026-06-04T19:21:21Z",
"published": "2026-05-19T15:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2587"
},
{
"type": "PACKAGE",
"url": "https://github.com/eclipse-ee4j/glassfish"
},
{
"type": "WEB",
"url": "https://github.com/eclipse-ee4j/glassfish/releases/tag/8.0.2"
},
{
"type": "WEB",
"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/86"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "GlassFish\u0027s gadget handler is vulnerable to RCE"
}
GHSA-2C6Q-RGVJ-66RX
Vulnerability from github – Published: 2022-05-02 03:23 – Updated: 2024-01-23 18:19Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) tiles:putAttribute and (2) tiles:insertTemplate JSP tags.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tiles:tiles-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.1"
},
{
"fixed": "2.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2009-1275"
],
"database_specific": {
"cwe_ids": [
"CWE-87",
"CWE-917"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-23T18:19:44Z",
"nvd_published_at": "2009-04-09T15:08:00Z",
"severity": "MODERATE"
},
"details": "Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) `tiles:putAttribute` and (2) `tiles:insertTemplate` JSP tags.",
"id": "GHSA-2c6q-rgvj-66rx",
"modified": "2024-01-23T18:19:44Z",
"published": "2022-05-02T03:23:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1275"
},
{
"type": "WEB",
"url": "http://svn.apache.org/viewvc/tiles/framework/trunk/src/site/apt/security/security-bulletin-1.apt?revision=741913"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Apache Tiles Vulnerable to XSS via EL Expression Injection"
}
GHSA-2J83-QWG6-584R
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A viewbatchtaskresultdetailfact expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-7184"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "HIGH"
},
"details": "A viewbatchtaskresultdetailfact expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-2j83-qwg6-584r",
"modified": "2022-05-24T17:31:20Z",
"published": "2022-05-24T17:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7184"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2JHX-QQH2-9Q63
Vulnerability from github – Published: 2026-01-30 21:30 – Updated: 2026-01-30 21:30Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup.This issue affects Mediawiki - DiscussionTools Extension: 1.44, 1.43.
{
"affected": [],
"aliases": [
"CVE-2025-11175"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-30T20:16:40Z",
"severity": "HIGH"
},
"details": "Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027) vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup.This issue affects Mediawiki - DiscussionTools Extension: 1.44, 1.43.",
"id": "GHSA-2jhx-qqh2-9q63",
"modified": "2026-01-30T21:30:22Z",
"published": "2026-01-30T21:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11175"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/q/I126203ab1d3ec8c1719cbb5460a887e4d0c2cc6d"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/q/I563219f3298a8740e158d130492bf3d2897784d7"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T364910"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T396248"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2VP2-4CQW-XHCC
Vulnerability from github – Published: 2024-02-20 03:30 – Updated: 2025-02-12 18:31Expression Language Injection vulnerability in Hitachi Global Link Manager on Windows allows Code Injection.This issue affects Hitachi Global Link Manager: before 8.8.7-03.
{
"affected": [],
"aliases": [
"CVE-2024-0715"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-20T02:15:49Z",
"severity": "HIGH"
},
"details": "Expression Language Injection vulnerability in Hitachi Global Link Manager on Windows allows Code Injection.This issue affects Hitachi Global Link Manager: before 8.8.7-03.",
"id": "GHSA-2vp2-4cqw-xhcc",
"modified": "2025-02-12T18:31:27Z",
"published": "2024-02-20T03:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0715"
},
{
"type": "WEB",
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-112/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3GX9-37WW-9QW6
Vulnerability from github – Published: 2022-03-04 00:00 – Updated: 2022-08-11 21:37In Spring Cloud Gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed, and unsecured. A remote attacker could make a maliciously crafted request resulting in arbitrary remote execution on the remote host.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-gateway"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-gateway"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-22947"
],
"database_specific": {
"cwe_ids": [
"CWE-917",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-04T21:06:22Z",
"nvd_published_at": "2022-03-03T22:15:00Z",
"severity": "CRITICAL"
},
"details": "In Spring Cloud Gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed, and unsecured. A remote attacker could make a maliciously crafted request resulting in arbitrary remote execution on the remote host.",
"id": "GHSA-3gx9-37ww-9qw6",
"modified": "2022-08-11T21:37:05Z",
"published": "2022-03-04T00:00:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22947"
},
{
"type": "WEB",
"url": "https://tanzu.vmware.com/security/cve-2022-22947"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/166219/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/168742/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Spring Cloud Gateway vulnerable to Code Injection when Gateway Actuator endpoint enabled, exposed, unsecured"
}
GHSA-3HX6-FQPJ-XFJR
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-11-08 12:55JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource's resource request, aka RF-14309.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.richfaces:richfaces-core"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.3.Final"
},
{
"last_affected": "4.5.17.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-12532"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-08T12:55:35Z",
"nvd_published_at": "2018-06-18T12:29:00Z",
"severity": "CRITICAL"
},
"details": "JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource\u0027s resource request, aka RF-14309.",
"id": "GHSA-3hx6-fqpj-xfjr",
"modified": "2022-11-08T12:55:35Z",
"published": "2022-05-13T01:19:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12532"
},
{
"type": "WEB",
"url": "https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/Mar/21"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "RichFaces vulnerable to Expression Language Injection"
}
GHSA-3JPC-997V-X927
Vulnerability from github – Published: 2022-07-13 00:01 – Updated: 2022-07-21 00:00A vulnerability has been identified in Mendix Applications using Mendix 9 (All versions >= V9.11 < V9.15), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.3). An expression injection vulnerability was discovered in the Workflow subsystem of Mendix Runtime, that can affect the running applications. The vulnerability could allow a malicious user to leak sensitive information in a certain configuration.
{
"affected": [],
"aliases": [
"CVE-2022-34466"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-12T10:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in Mendix Applications using Mendix 9 (All versions \u003e= V9.11 \u003c V9.15), Mendix Applications using Mendix 9 (V9.12) (All versions \u003c V9.12.3). An expression injection vulnerability was discovered in the Workflow subsystem of Mendix Runtime, that can affect the running applications. The vulnerability could allow a malicious user to leak sensitive information in a certain configuration.",
"id": "GHSA-3jpc-997v-x927",
"modified": "2022-07-21T00:00:31Z",
"published": "2022-07-13T00:01:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34466"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-492173.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Avoid adding user-controlled data into an expression interpreter when possible.
Mitigation
- If user-controlled data must be added to an expression interpreter, one or more of the following should be performed:
- Validate that the user input will not evaluate as an expression
- Encode the user input in a way that ensures it is not evaluated as an expression
Mitigation
The framework or tooling might allow the developer to disable or deactivate the processing of EL expressions, such as setting the isELIgnored attribute for a JSP page to "true".
No CAPEC attack patterns related to this CWE.