Remote RCE via SpELFunction in xiandafu Beetl 3.20.2 (Java)
CVE-2026-8759 Published on May 17, 2026
xiandafu beetl SpELFunction SpELFunction.java expression language injection
A vulnerability was identified in xiandafu beetl up to 3.20.2. Affected is an unknown function of the file beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java of the component SpELFunction. The manipulation leads to improper neutralization of special elements used in an expression language statement. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
Timeline
Advisory disclosed
VulDB entry created
VulDB entry last update
Weakness Types
What is an EL Injection Vulnerability?
The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
CVE-2026-8759 has been classified to as an EL Injection vulnerability or weakness.
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Products Associated with CVE-2026-8759
Want to know whenever a new CVE is published for Xiandafu Beetl? stack.watch will email you.
Affected Versions
xiandafu beetl:- Version 3.20.0 is affected.
- Version 3.20.1 is affected.
- Version 3.20.2 is affected.