CVE-2026-8759: xiandafu beetl SpEL Injection Vulnerability

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-20cwe-917
CVE-2026-8759: xiandafu beetl SpEL Injection Vulnerability

The National Vulnerability Database has disclosed CVE-2026-8759, a high-severity vulnerability (CVSS 7.3) affecting xiandafu beetl up to version 3.20.2. This flaw resides in the SpELFunction.java component, specifically an unknown function within beetl-classic-integration/beetl-spring-classic/. The issue stems from improper neutralization of special elements in an expression language statement, leading to a remote code execution risk.

This isn’t theoretical; the exploit for CVE-2026-8759 is publicly available. Attackers can leverage this vulnerability without authentication or user interaction, making it a critical threat for any organization running affected versions. The National Vulnerability Database notes that the project maintainers were informed but have not yet responded, leaving a window for exploitation.

From an attacker’s perspective, this is a low-effort, high-reward target. The combination of remote exploitation, no prerequisites, and public exploit code means it will be rapidly weaponized. Defenders need to prioritize mitigation immediately. The core problem is an expression language injection (CWE-917) combined with improper input validation (CWE-20), a classic recipe for remote code execution.

What This Means For You

  • If your organization utilizes xiandafu beetl, specifically versions up to 3.20.2, you are exposed to unauthenticated remote code execution via CVE-2026-8759. Given the public availability of exploit code, assume active exploitation is imminent. Immediately identify all instances of xiandafu beetl in your environment. If no patch is available, prioritize isolating affected systems or implementing compensating controls to restrict network access to these components.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-8759: Beetl SpEL Injection via SpELFunction.java

Sigma YAML — free preview 
title: CVE-2026-8759: Beetl SpEL Injection via SpELFunction.java
id: scw-2026-05-17-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-8759 by targeting the SpELFunction.java component in Beetl. The rule looks for requests containing '/SpELFunction.java' in the URI and a SpEL expression attempting to execute commands via 'T(java.lang.Runtime).getRuntime().exec(' in the query string.
author: SCW Feed Engine (AI-generated)
date: 2026-05-17
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-8759/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/SpELFunction.java'
      cs-uri-query|contains:
          - 'T(java.lang.Runtime).getRuntime().exec('
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-8759 Code Injection xiandafu beetl up to 3.20.2
CVE-2026-8759 Code Injection beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java
CVE-2026-8759 Code Injection Improper Neutralization of Special Elements in an Expression Language Statement

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 17, 2026 at 18:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma