VulnerableCode Package Details - pkg:maven/org.thymeleaf/thymeleaf@3.1.4.RELEASE

Search for packages

Vulnerability	Summary	Fixed by
VCID-ptk1-n6zn-9bbn Aliases: CVE-2026-41901 GHSA-c9ph-gxww-7744	Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE.	3.1.5.RELEASE Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-ptk1-n6zn-9bbn
Aliases:
CVE-2026-41901
GHSA-c9ph-gxww-7744

Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE.

3.1.5.RELEASE
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3r8s-er6d-zqh7	Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.	CVE-2026-40478 GHSA-xjw8-8c5c-9r79
VCID-jypn-wmp5-y7dm	Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.	CVE-2026-40477 GHSA-r4v4-5mwr-2fwr

Vulnerability

Summary

Aliases

VCID-3r8s-er6d-zqh7

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.

CVE-2026-40478
GHSA-xjw8-8c5c-9r79

VCID-jypn-wmp5-y7dm

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.

CVE-2026-40477
GHSA-r4v4-5mwr-2fwr

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T22:19:11.950432+00:00	GitLab Importer	Affected by	VCID-ptk1-n6zn-9bbn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.thymeleaf/thymeleaf/CVE-2026-41901.yml	38.6.0
2026-06-12T22:05:39.370298+00:00	GitLab Importer	Fixing	VCID-jypn-wmp5-y7dm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.thymeleaf/thymeleaf/CVE-2026-40477.yml	38.6.0
2026-06-12T22:05:26.403948+00:00	GitLab Importer	Fixing	VCID-3r8s-er6d-zqh7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.thymeleaf/thymeleaf/CVE-2026-40478.yml	38.6.0
2026-06-12T07:45:23.283133+00:00	GithubOSV Importer	Fixing	VCID-jypn-wmp5-y7dm	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r4v4-5mwr-2fwr/GHSA-r4v4-5mwr-2fwr.json	38.6.0
2026-06-12T07:45:16.058267+00:00	GithubOSV Importer	Fixing	VCID-3r8s-er6d-zqh7	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xjw8-8c5c-9r79/GHSA-xjw8-8c5c-9r79.json	38.6.0