Valtimo has SpEL injection via StandardEvaluationContext that allows Remote Code Execution by admin users — CVE-2026-42555
GHSA · GitHub · CVE-2026-42555
ID
CVE-2026-42555
CVE-2026-42555
Date
Updated
Activity
Source
GHSA
GHSA
Vendor
GitHub
GitHub
Threat
critical
critical
CVSS
9.1
9.1
Summary
### Summary Multiple classes evaluate Spring Expression Language (SpEL) expressions from user-supplied input using `StandardEvaluationContext`, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration. ### Impact An attacker with ADMIN credentials can: - **Execute arbitrary OS commands** via…
Product
maven: com.ritense.valtimo:document | maven: com.ritense.valtimo:case | maven: com.ritense.valtimo:contract
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.