# Possible expression language (EL) injection detected

## Overview

* **Rule ID**: `java_lang_expression_language_injection`
* **Applicable Languages**: Java
* **Weakness ID**: CWE-917

## Description

Expression Language (EL) injection vulnerabilities arise when unvalidated external input is incorporated into EL statements. This can lead to the inadvertent execution of malicious code.

## Remediation Guidelines

* **Always validate** all external input or dynamic values before incorporating them into EL statements. This is essential to mitigate the risk of EL injection attacks.

## References

* [**OWASP Expression Language Injection**](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection)
* [**CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')**](https://cwe.mitre.org/data/definitions/917.html)
* [**OWASP Top 10: A03:2021 - Injection**](https://owasp.org/Top10/A03_2021-Injection/)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)