CVE-2021-28170

Improper Input Validation in Jakarta Expression Language

Description

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

Patch Available

Fix available through Seal Security.  
No upgrade required, protect your application instantly.

Fix without upgrading

Score

Severity

Ecosystem

Java

Publish Date

October 6, 2021

Modified Date

July 1, 2025

Score Vector

Affected Versions