MVEL is an expression language based on Java-syntax. The language offers many features including invocation of methods available in the JVM. If a MVEL expression is built using attacker-controlled data, and then evaluated, then it may allow the attacker to run arbitrary code.

Including user input in a MVEL expression should be avoided.

The following example uses untrusted data to build a MVEL expression and then runs it in the default powerfull context.

MVEL Documentation: Language Guide for 2.0.

OWASP: Expression Language Injection.