xiandafu beetl SpELFunction SpELFunction.java expression language injection_CVE-2026-8759

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A vulnerability was identified in xiandafu beetl up to 3.20.2. Affected is an unknown function of the file beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java of the component SpELFunction. The manipulation leads to improper neutralization of special elements used in an expression language statement. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

Basic Information

ID CVE-2026-8759

Source VulDB

Published May 17, 2026 at 14:15

Affected Product

Vendor xiandafu

Product beetl

Version 3.20.0

Affected Versions xiandafu beetl 3.20.0
xiandafu beetl 3.20.1
xiandafu beetl 3.20.2

CWE Classification

CWE-917 CWE-20

References

{
    "lastseen": "",
    "description": "A vulnerability was identified in xiandafu beetl up to 3.20.2. Affected is an unknown function of the file beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java of the component SpELFunction. The manipulation leads to improper neutralization of special elements used in an expression language statement. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.",
    "published": "2026-05-17T14:15:42.240Z",
    "modified": "2026-05-17T14:15:42.240Z",
    "type": "cve",
    "title": "xiandafu beetl SpELFunction SpELFunction.java expression language injection",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/364386\nhttps://vuldb.com/vuln/364386/cti\nhttps://vuldb.com/submit/811316\nhttps://gitee.com/xiandafu/beetl/issues/IIYAWC\nhttps://gitee.com/xiandafu/beetl/",
    "id": "CVE-2026-8759",
    "bulletinFamily": "",
    "cwe": [
        "CWE-917",
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "xiandafu beetl 3.20.0\nxiandafu beetl 3.20.1\nxiandafu beetl 3.20.2",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "beetl",
    "version": "3.20.0",
    "vendor": "xiandafu",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}