BaseIncomplete

CWE-917Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Category: injection

Description

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. Frameworks such as Java Server Page (JSP) allow a developer to insert executable expressions within otherwise-static content. When the developer is not aware of the executable nature of these expressions and/or does not disable them, then if an attacker can inject expressions, this could lead to code execution or other unexpected behaviors.

Common consequences· 2

  • Confidentiality — Read Application Data
  • Integrity — Execute Unauthorized Code or Commands

Potential mitigations· 3

  • [Architecture and Design]Avoid adding user-controlled data into an expression interpreter when possible.
  • [Implementation]
  • [System Configuration, Operation]The framework or tooling might allow the developer to disable or deactivate the processing of EL expressions, such as setting the isELIgnored attribute for a JSP page to "true".

References

  1. https://cwe.mitre.org/data/definitions/917.html

(incoming)18

TypeTargetConfidenceTier
VulnerabilityCVE-2025-41243cve-2025-412430%live
VulnerabilityCVE-2026-22729cve-2026-227290%live
VulnerabilityCVE-2026-22738cve-2026-227380%live
VulnerabilityCVE-2026-24713cve-2026-247130%live
VulnerabilityCVE-2026-2586cve-2026-25860%live
VulnerabilityCVE-2026-2587cve-2026-25870%live
VulnerabilityCVE-2026-39842cve-2026-398420%live
VulnerabilityCVE-2026-40477cve-2026-404770%live
VulnerabilityCVE-2026-40478cve-2026-404780%live
VulnerabilityCVE-2026-41705cve-2026-417050%live
VulnerabilityCVE-2026-41883cve-2026-418830%live
VulnerabilityCVE-2026-41901cve-2026-419010%live
VulnerabilityCVE-2026-42811cve-2026-428110%live
KEVEntrySonatype Nexus Repository Remote Code Execution Vulnerabilitykev-cve-2020-101990%live
KEVEntryApache Struts Remote Code Execution Vulnerabilitykev-cve-2020-175300%live
KEVEntryAtlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerabilitykev-cve-2021-260840%live
KEVEntryApache Log4j2 Deserialization of Untrusted Data Vulnerabilitykev-cve-2021-450460%live
KEVEntryAtlassian Confluence Server and Data Center Remote Code Execution Vulnerabilitykev-cve-2022-261340%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Improper Neutralization of Special Elements Used in a Template Engine
CWE
Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
CWE
Improper Neutralization of Data within XPath Expressions ('XPath Injection')
CWE
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.