It is possible to execute arbitrary Expression Language (EL) statements on the target application server. EL injection is a critical severity vulnerability that can lead to full system compromise. EL injection can occur when attacker-controlled data is used to construct EL statements without neutralizing special characters. These special characters could modify the intended EL statement prior to it being executed by an interpreter.
User-controlled data should always have special elements neutralized when used as part of constructing Expression Language statements. Please consult the documentation for the EL interpreter in use on how properly neutralize user controlled data.