CWE-917 (表达式语言语句中使用的特殊元素转义处理不恰当(表达式语言注入)) — Vulnerability Class 23

23 vulnerabilities classified as CWE-917 (表达式语言语句中使用的特殊元素转义处理不恰当(表达式语言注入)). AI Chinese analysis included.

CVE ID	Title	CVSS	Severity	Published
CVE-2026-40478	Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf — thymeleaf	9.1	Critical	2026-04-17
CVE-2026-40477	Improper restriction of the scope of accessible objects in Thymeleaf expressions — thymeleaf	9.1	Critical	2026-04-17
CVE-2025-11175	DiscussionTools should use better regex — Mediawiki - DiscussionTools Extension	7.5^AI	High^AI	2026-01-30
CVE-2025-41253	Spring Cloud Gateway Webflux SpEL Injection Vulnerability Allowing Exposure of Environment Variables — Spring Cloud Gateway Server Webflux	7.5	High	2025-10-16
CVE-2025-41243	Spring Expression Language property modification using Spring Cloud Gateway Server WebFlux — Cloud Gateway	10.0	Critical	2025-09-16
CVE-2025-3322	Improper Neutralization of Special Elements in OnlineSuite — OnlineSuite	9.8^AI	Critical^AI	2025-06-06
CVE-2024-51466	IBM Cognos Analytics expression language injection — Cognos Analytics	9.0	Critical	2024-12-20
CVE-2024-12798	JaninoEventEvaluator vulnerability — Logback-core	8.4	-	2024-12-19
CVE-2024-9672	Reflected XSS in PaperCut MF — PaperCut MF	6.1	-	2024-12-09
CVE-2024-7552	DataGear Data Schema Page ConversionSqlParamValueMapper.java evaluateVariableExpression expression language injection — DataGear	6.3	Medium	2024-08-06
CVE-2024-5828	EL Injection Vulnerability in Hitachi Tuning Manager — Hitachi Tuning Manager	8.6	High	2024-08-06
CVE-2024-4286	Improper Neutralization of Special Elements in mintplex-labs/anything-llm — mintplex-labs/anything-llm	6.5	-	2024-05-26
CVE-2023-51593	Voltronic Power ViewPower Pro Expression Language Injection Remote Code Execution Vulnerability — ViewPower Pro	9.8	-	2024-05-03
CVE-2024-0715	EL Injection Vulnerability in Hitachi Global Link Manager — Hitachi Global Link Manager	7.6	High	2024-02-20
CVE-2023-41331	SOFARPC Remote Command Execution (RCE) Vulnerability — sofa-rpc	9.8	Critical	2023-09-12
CVE-2022-4146	EL Injection Vulnerability in Hitachi Replication Manager — Hitachi Replication Manager	7.3	High	2023-07-18
CVE-2022-45855	Apache Ambari: Allows authenticated metrics consumers to perform RCE — Apache Ambari	8.0	High	2023-07-12
CVE-2022-42009	Apache Ambari: A malicious authenticated user can remotely execute arbitrary code in the context of the application. — Apache Ambari	8.0	High	2023-07-12
CVE-2023-32200	Apache Jena: Exposure of execution in script engine expressions. — Apache Jena	4.6	-	2023-07-12
CVE-2023-22665	Apache Jena: Exposure of arbitrary execution in script engine expressions. — Apache Jena	6.1	-	2023-04-25
CVE-2022-23463	SpEL Injection in Nepxion Discovery — Discover	9.4	Critical	2022-09-24
CVE-2021-31805	Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE. — Apache Struts	9.8	-	2022-04-12
CVE-2021-45046	Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack — Apache Log4j	9.0	-	2021-12-14

Vulnerabilities classified as CWE-917 (表达式语言语句中使用的特殊元素转义处理不恰当(表达式语言注入)) represent 23 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.

Goal Reached Thanks to every supporter — we hit 100%!

CWE-917 (表达式语言语句中使用的特殊元素转义处理不恰当(表达式语言注入)) — Vulnerability Class 23