CVE-2026-42555

Valtimo: SpEL injection via StandardEvaluationContext allows Remote Code Execution by admin users

CVSS 9.1 CRITICALEPSS 0.6%CWE-94

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.1EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

14 May 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration. This vulnerability is fixed in com.ritense.valtimo:document 2.32.0, com.ritense.valtimo:case 13.23.0, and com.ritense.valtimo:contract 13.23.0.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected products

com.ritense.valtimo · case com.ritense.valtimo · contract com.ritense.valtimo · document valtimo-platform · valtimo

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-j7j9-5253-f7vh