CVE-2026-41901

EPSS 0.43%
Veröffentlicht 12.05.2026 22:35:50
Zuletzt bearbeitet 13.05.2026 16:10:57
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Thymeleaf: Improper recognition of unauthorized syntax patterns in sandboxed Thymeleaf expressions

Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerthymeleaf

≫

Produkt thymeleaf

Version < 3.1.5.RELEASE

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.43%	0.34

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9	2.2	6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-c9ph-gxww-7744

https://nvd.nist.gov/vuln/detail/CVE-2026-41901

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-41901

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-41901

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-41901