1102 matches found
Expression Language Injection
Overview Affected versions of this package are vulnerable to Expression Language Injection when dynamically loading classes, which allows server-side template injection that crosses the intended sandbox boundary. An attacker can execute unauthorized expressions with the privileges of the server b...
Expression Language Injection
Overview org.apache.polaris:polaris-core is an a catalog for data lakes. It provides new levels of choice, flexibility and control over data, with full enterprise security and Apache Iceberg interoperability across a multitude of engines and infrastructure Affected versions of this package are...
CVE-2026-42811
In plain terms, Apache Polaris is supposed to issue short-lived GCS credentials that only work for one table's files, but a crafted namespace or table name can cause those credentials to work across the configured bucket instead. Apache Polaris builds Google Cloud Storage downscoped credentials b...
CVE-2026-7045
A vulnerability was determined in baomidou dynamic-datasource 2.5.0. Affected by this vulnerability is the function DsSpelExpressionProcessordoDetermineDatasource of the file dynamic-datasource-spring/src/main/java/com/baomidou/dynamic/datasource/processor/DsSpelExpressionProcessor.java of the...
EUVD-2026-23964
Spinnaker: RCE via expression parsing due to unrestricted context handling...
GHSA-69RW-45WJ-G4V6 Spinnaker: RCE via expression parsing due to unrestricted context handling
Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL Spring Expression Language to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT...
Spinnaker: RCE via expression parsing due to unrestricted context handling
Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL Spring Expression Language to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT...
CVE-2026-32613 Spinnaker vulnerable to RCE via expression parsing due to unrestricted context handling
Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL Spring Expression Language to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT...
Exploit for CVE-2026-39842
CVE-2026-39842: OpenRemote Expression Injection RCE in Rules E...
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an Expression Language Statement 'Expression Language Injection' via the CDNResourceHandler when a wildcard CDN mapping is configured. An attacker can execute arbitrary code, disclose...
GHSA-VP6R-9M58-5XV8 OmniFaces: EL injection via crafted resource name in wildcard CDN mapping
Impact Server-side EL injection leading to Remote Code Execution RCE. Affects applications that use CDNResourceHandler with a wildcard CDN mapping e.g. libraryName:=https://cdn.example.com/. An attacker can craft a resource request URL containing an EL expression in the resource name, which is...
PT-2026-37154
Name of the Vulnerable Software and Affected Versions OmniFaces versions prior to 1.14.2 OmniFaces versions prior to 2.7.32 OmniFaces versions prior to 3.14.16 OmniFaces versions prior to 4.7.5 OmniFaces versions prior to 5.2.3 Description Server-side Expression Language EL injection allows for...
Warm-Flow has a SpEL Expression Injection in SpelHelper.parseExpression
A security flaw has been discovered in Dromara warm-flow up to 1.8.4. Impacted is the function SpelHelper.parseExpression of the file /warm-flow/save-json of the component Workflow Definition Handler. The manipulation of the argument listenerPath/skipCondition/permissionFlag results in code...
BIT-KYVERNO-2026-4789 CVE-2026-4789
Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions...
GHSA-QQRV-2HCH-83Q4 Duplicate Advisory: Kyverno is vulnerable to server-side request forgery (SSRF)
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rggm-jjmc-3394. This link is maintained to preserve external references. Original Description Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions...
CVE-2026-4789
CVE-2026-4789 : Kyverno versions >=1.16.0 are vulnerable to SSRF via the CEL HTTP library used in CEL-based policies. The issue stems from the http.Get/http.Post functions in pkg/cel/libs/http/http.go not enforcing URL restrictions, enabling an attacker with namespace-scoped policy creation pe...
CVE-2026-4789 CVE-2026-4789
Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions...
Spring AI 1.0.x < 1.0.5 / 1.1.x < 1.1.4 Multiple Vulnerabilities
The version of Spring AI installed on the remote host is 1.0.x prior to 1.0.5 or 1.1.x prior to 1.1.4. It is, therefore, affected by multiple vulnerabilities, including: - A SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A...
CVE-2026-22738
In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression...
Spring AI: SpEL injection is triggered when a user-supplied value is used as a filter expression key
In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression...