CVE-2026-8759 MEDIUM

CVE-2026-8759: xiandafu beetl SpELFunction SpELFunction.java expression language injection

Vendor Xiandafu

Product beetl

Weakness CWE-917

Published May 17, 2026

Last update May 18, 2026

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A vulnerability was identified in xiandafu beetl up to 3.20.2. Affected is an unknown function of the file beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java of the component SpELFunction. The manipulation leads to improper neutralization of special elements used in an expression language statement. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

Key dates

Disclosure timeline

May 17, 2026 CVE published

May 18, 2026 Record updated

Identifiers

CVE CVE-2026-8759

CWE CWE-917

CVSS 6.9 / MEDIUM

Affected versions

Vendor Xiandafu

Product beetl

Affected 3.20.0

Vendor Xiandafu

Product beetl

Affected 3.20.1

Vendor Xiandafu

Product beetl

Affected 3.20.2