CVE-2026-8759

7.3 HIGH

A vulnerability was identified in xiandafu beetl up to 3.20.2

Published: 2026-05-17 · Last updated: 2026-05-18

Severity and scoring

CVSS: 7.3 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20, CWE-917

Description

A vulnerability was identified in xiandafu beetl up to 3.20.2. Affected is an unknown function of the file beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java of the component SpELFunction. The manipulation leads to improper neutralization of special elements used in an expression language statement. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8759
[Other]https://gitee.com/xiandafu/beetl/
[Other]https://gitee.com/xiandafu/beetl/issues/IIYAWC
[Other]https://vuldb.com/submit/811316
[Other]https://vuldb.com/vuln/364386
[Other]https://vuldb.com/vuln/364386/cti

Related CVEs

Same CWE

CVE-2026-12191 — A vulnerability was found in Comma AI Openpilot 0.11 (7.8 HIGH)
CVE-2026-45013 — ApostropheCMS is an open-source Node.js content management system (8.1 HIGH)
CVE-2026-54133 — jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP app... (9.8 CRITICAL)
CVE-2026-47196 — Quest Bot is an opensource Discord Bot
CVE-2026-50633 — A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an atta... (8.1 HIGH)