Improper neutralization of special elements used in an expression language statement ('expression language injection') vulnerability in Soagen Informatics Technologies Software and Consulting Inc. Apinizer allows Code Injection. This issue affects Apinizer: from 2026.04.0 before 2026.04.6.
Apinizer software improperly sanitizes special characters used in Expression Language (EL) expressions. An attacker can provide malicious input containing malicious EL expressions, which will be interpreted and executed by the expression processing engine on the server side. The attack vector is network-based, requires no authentication or user interaction, and has low attack complexity (AC:L, PR:N, UI:N), making this vulnerability particularly easy to exploit.
Successful exploitation of this vulnerability allows an attacker to remotely execute arbitrary code (Code Injection/RCE) on the server, which may lead to complete system compromise, disclosure of sensitive data, modification of configuration, or total loss of service availability.
Apinizer must be updated immediately to version 2026.04.6 or later. Detailed information is available in the vendor's security bulletin at: https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0365
Apinizer versions from 2026.04.0 to 2026.04.5 (prior to version 2026.04.6)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H