CVE-2026-11561 PUBLISHED

SSTI in Soagen Informatics' Apinizer

Assigner: TR-CERT
Reserved: 08.06.2026 Published: 11.06.2026 Updated: 11.06.2026

Improper neutralization of special elements used in an expression language statement ('expression language injection') vulnerability in Soagen Informatics Technologies Software and Consulting Inc. Apinizer allows Code Injection.

This issue affects Apinizer: from 2026.04.0 before 2026.04.6.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Soagen Informatics Technologies Software and Consulting Inc.
Product	Apinizer
Versions	Default: unaffected affected from 2026.04.0 to 2026.04.6 (excl.)

Credits

Alperen KESKİN finder

References

https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0365

Problem Types

CWE-917 Improper neutralization of special elements used in an expression language statement ('expression language injection') CWE

Impacts

CAPEC-242 Code Injection