CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Also known as: EL Injection
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
Last updated
Overview
Frameworks such as Java Server Page (JSP) allow a developer to insert executable expressions within otherwise-static content. When the developer is not aware of the executable nature of these expressions and/or does not disable them, then if an attacker can inject expressions, this could lead to code execution or other unexpected behaviors.
Real-world CVEs
44 recorded CVEs are caused by CWE-917 (Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')), including 6 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 17 new CWE-917 CVEs have been recorded so far in 2026 (3 in 2025).
- CVE-2021-26084CISA KEVCritical · CVSS 10.0 · EPSS 100th2021-08-30
- CVE-2022-26134CISA KEVCritical · CVSS 9.3 · EPSS 100th2022-06-03
- CVE-2020-17530CISA KEVCritical · CVSS 9.3 · EPSS 100th2020-12-11
- CVE-2010-1871CISA KEVCritical · CVSS 9.3 · EPSS 100th2010-08-04
- CVE-2021-45046CISA KEV
Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack
Critical · CVSS 9.0 · EPSS 100th2021-12-14 - CVE-2020-10199CISA KEVHigh · CVSS 8.7 · EPSS 100th2020-04-01
- CVE-2025-41243
Spring Expression Language property modification using Spring Cloud Gateway Server WebFlux
Critical · CVSS 10.0 · EPSS 87th2025-09-16 - CVE-2025-3322
Improper Neutralization of Special Elements in OnlineSuite
Critical · CVSS 10.0 · EPSS 43th2025-06-06 - CVE-2026-11561
SSTI in Soagen Informatics' Apinizer
Critical · CVSS 9.8 · EPSS 34th2026-06-11 - CVE-2024-5828Critical · CVSS 9.8 · EPSS 29th2024-08-06
- CVE-2023-51593Critical · CVSS 9.8 · EPSS 73th2024-05-03
- CVE-2024-0715Critical · CVSS 9.8 · EPSS 37th2024-02-20
Showing 12 of 44 recorded CWE-917 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-917 vulnerabilitiesCommon consequences
What can happen when CWE-917 is exploited.
Read Application Data
Affects: Confidentiality
Execute Unauthorized Code or Commands
Affects: Integrity
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to prevent it
Practical mitigations for CWE-917, grouped by where in the lifecycle they apply.
Avoid adding user-controlled data into an expression interpreter when possible.
If user-controlled data must be added to an expression interpreter, one or more of the following should be performed:
- Validate that the user input will not evaluate as an expression
- Encode the user input in a way that ensures it is not evaluated as an expression
The framework or tooling might allow the developer to disable or deactivate the processing of EL expressions, such as setting the isELIgnored attribute for a JSP page to "true".
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2021-44228CISA KEV— Product does not neutralize ${xyz} style expressions, allowing remote code execution. (log4shell vulnerability in log4j)
Terminology & mappings
Alternate terms
- EL Injection
Frequently asked questions
Common questions about CWE-917.
- What is CWE-917?
- The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
- What CVEs are caused by CWE-917?
- 44 recorded CVEs are attributed to CWE-917, including CVE-2021-26084, CVE-2022-26134, CVE-2020-17530. 6 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-917?
- Avoid adding user-controlled data into an expression interpreter when possible.
- How is CWE-917 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-917?
- Exploiting CWE-917 can lead to: Read Application Data, Execute Unauthorized Code or Commands.
- Is CWE-917 actively exploited?
- Yes. 6 CWE-917 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 44 recorded CVEs.
References
- MITRE CWE definition (CWE-917) (opens in a new tab)
- CWE-917 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-917
Get alerted the moment a new CWE-917 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.