Description
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
Extended Description
Frameworks such as Java Server Page (JSP) allow a developer to insert executable expressions within otherwise-static content. When the developer is not aware of the executable nature of these expressions and/or does not disable them, then if an attacker can inject expressions, this could lead to code execution or other unexpected behaviors.
CVE vulnerabilities with CWE-917 (220)
10.0
CVSS
CRITICAL
CVE-2025-41243
pub. 2025-09-16
10.0
CVSS
CRITICAL
CVE-2025-3322
pub. 2025-06-06
10.0
CVSS
CRITICAL
CVE-2022-22947
pub. 2022-03-03🚩 CISA KEV⚡ EXPLOIT
10.0
CVSS
CRITICAL
CVE-2021-44228
pub. 2021-12-10🚩 CISA KEV⚡ EXPLOIT
9.9
CVSS
CRITICAL
CVE-2026-39842
pub. 2026-04-15
9.8
CVSS
CRITICAL
CVE-2026-11561
pub. 2026-06-11
9.8
CVSS
CRITICAL
CVE-2026-22738
pub. 2026-03-27
9.8
CVSS
CRITICAL
CVE-2026-24713
pub. 2026-03-09
9.8
CVSS
CRITICAL
CVE-2023-51593
pub. 2024-05-03
9.8
CVSS
CRITICAL
CVE-2023-41331
pub. 2023-09-12
9.8
CVSS
CRITICAL
CVE-2023-27821
pub. 2023-03-28
9.8
CVSS
CRITICAL
CVE-2023-26092
pub. 2023-02-20
9.8
CVSS
CRITICAL
CVE-2022-22980
pub. 2022-06-23
9.8
CVSS
CRITICAL
CVE-2022-26134
pub. 2022-06-03🚩 CISA KEV⚡ EXPLOIT
9.8
CVSS
CRITICAL
CVE-2021-31805
pub. 2022-04-12
9.8
CVSS
CRITICAL
CVE-2022-22963
pub. 2022-04-01🚩 CISA KEV⚡ EXPLOIT
9.8
CVSS
CRITICAL
CVE-2021-26084
pub. 2021-08-30🚩 CISA KEV⚡ EXPLOIT
9.8
CVSS
CRITICAL
CVE-2020-17530
pub. 2020-12-11🚩 CISA KEV⚡ EXPLOIT
9.8
CVSS
CRITICAL
CVE-2020-24650
pub. 2020-10-19
9.8
CVSS
CRITICAL
CVE-2020-24651
pub. 2020-10-19
Showing 20 of 220 vulnerabilities