CVE-2026-8759
published 2026-05-17CVE-2026-8759: A vulnerability was identified in xiandafu beetl up to 3.20.2. Affected is an unknown function of the file…
PriorityP347high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EPSS
0.41%
32.5th percentile
A vulnerability was identified in xiandafu beetl up to 3.20.2. Affected is an unknown function of the file beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java of the component SpELFunction. The manipulation leads to improper neutralization of special elements used in an expression language statement. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xiandafu | beetl | — | — |
| xiandafu | beetl | — | — |
| xiandafu | beetl | — | — |
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Beetl's SpELFunction extension function has an expression injection risk
ghsa·2026-05-17
CVE-2026-8759 [MEDIUM] CWE-20 Beetl's SpELFunction extension function has an expression injection risk
Beetl's SpELFunction extension function has an expression injection risk
A vulnerability was identified in xiandafu beetl up to 3.20.2. Affected is an unknown function of the file beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java of the component SpELFunction. The manipulation leads to improper neutralization of special elements used in an expression language statement. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
GHSA
GHSA-fmmw-44rp-jcfp: A vulnerability was identified in xiandafu beetl up to 3
ghsa_unreviewed·2026-05-17
CVE-2026-8759 [MEDIUM] CWE-20 GHSA-fmmw-44rp-jcfp: A vulnerability was identified in xiandafu beetl up to 3
A vulnerability was identified in xiandafu beetl up to 3.20.2. Affected is an unknown function of the file beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java of the component SpELFunction. The manipulation leads to improper neutralization of special elements used in an expression language statement. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
VulDB
xiandafu beetl up to 3.20.2 SpELFunction SpELFunction.java expression language injection (IIYAWC)
vuldb·2026-05-16
CVE-2026-8759 [CRITICAL] xiandafu beetl up to 3.20.2 SpELFunction SpELFunction.java expression language injection (IIYAWC)
A vulnerability was found in xiandafu beetl up to 3.20.2. It has been rated as critical. Affected is an unknown function of the file beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java of the component SpELFunction. The manipulation leads to improper neutralization of special elements used in an expression language statement.
This vulnerability is referenced as CVE-2026-8759. Remote exploitation of the attack is possible. Furthermore, an exploit is available.
The project was informed of the problem early through an issue report but has not responded yet.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-17
Published