Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.thymeleaf/thymeleaf@2.0.14
Typemaven
Namespaceorg.thymeleaf
Namethymeleaf
Version2.0.14
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.1.5.RELEASE
Latest_non_vulnerable_version3.1.5.RELEASE
Affected_by_vulnerabilities
0
url VCID-3r8s-er6d-zqh7
vulnerability_id VCID-3r8s-er6d-zqh7
summary Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40478.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40478.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40478
reference_id
reference_type
scores
0
value 0.00055
scoring_system epss
scoring_elements 0.17831
published_at 2026-06-14T12:55:00Z
1
value 0.00055
scoring_system epss
scoring_elements 0.17679
published_at 2026-06-11T12:55:00Z
2
value 0.00055
scoring_system epss
scoring_elements 0.17855
published_at 2026-06-13T12:55:00Z
3
value 0.00055
scoring_system epss
scoring_elements 0.17839
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40478
2
reference_url https://github.com/thymeleaf/thymeleaf
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/thymeleaf/thymeleaf
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40478
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40478
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2459349
reference_id 2459349
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2459349
5
reference_url https://github.com/advisories/GHSA-xjw8-8c5c-9r79
reference_id GHSA-xjw8-8c5c-9r79
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xjw8-8c5c-9r79
6
reference_url https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79
reference_id GHSA-xjw8-8c5c-9r79
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-20T16:17:04Z/
url https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79
7
reference_url https://access.redhat.com/errata/RHSA-2026:21772
reference_id RHSA-2026:21772
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:21772
fixed_packages
0
url pkg:maven/org.thymeleaf/thymeleaf@3.1.4
purl pkg:maven/org.thymeleaf/thymeleaf@3.1.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@3.1.4
1
url pkg:maven/org.thymeleaf/thymeleaf@3.1.4.RELEASE
purl pkg:maven/org.thymeleaf/thymeleaf@3.1.4.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ptk1-n6zn-9bbn
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@3.1.4.RELEASE
aliases CVE-2026-40478, GHSA-xjw8-8c5c-9r79
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3r8s-er6d-zqh7
1
url VCID-jypn-wmp5-y7dm
vulnerability_id VCID-jypn-wmp5-y7dm
summary Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40477.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40477.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40477
reference_id
reference_type
scores
0
value 0.00055
scoring_system epss
scoring_elements 0.17855
published_at 2026-06-13T12:55:00Z
1
value 0.00055
scoring_system epss
scoring_elements 0.17831
published_at 2026-06-14T12:55:00Z
2
value 0.00055
scoring_system epss
scoring_elements 0.17679
published_at 2026-06-11T12:55:00Z
3
value 0.00055
scoring_system epss
scoring_elements 0.17839
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40477
2
reference_url https://github.com/thymeleaf/thymeleaf
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/thymeleaf/thymeleaf
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40477
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40477
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2459344
reference_id 2459344
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2459344
5
reference_url https://github.com/advisories/GHSA-r4v4-5mwr-2fwr
reference_id GHSA-r4v4-5mwr-2fwr
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r4v4-5mwr-2fwr
6
reference_url https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr
reference_id GHSA-r4v4-5mwr-2fwr
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-20T13:23:45Z/
url https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr
7
reference_url https://access.redhat.com/errata/RHSA-2026:21772
reference_id RHSA-2026:21772
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:21772
fixed_packages
0
url pkg:maven/org.thymeleaf/thymeleaf@3.1.4
purl pkg:maven/org.thymeleaf/thymeleaf@3.1.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@3.1.4
1
url pkg:maven/org.thymeleaf/thymeleaf@3.1.4.RELEASE
purl pkg:maven/org.thymeleaf/thymeleaf@3.1.4.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ptk1-n6zn-9bbn
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@3.1.4.RELEASE
aliases CVE-2026-40477, GHSA-r4v4-5mwr-2fwr
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jypn-wmp5-y7dm
2
url VCID-ptk1-n6zn-9bbn
vulnerability_id VCID-ptk1-n6zn-9bbn
summary Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41901
reference_id
reference_type
scores
0
value 0.00104
scoring_system epss
scoring_elements 0.27842
published_at 2026-06-11T12:55:00Z
1
value 0.00104
scoring_system epss
scoring_elements 0.28041
published_at 2026-06-12T12:55:00Z
2
value 0.00113
scoring_system epss
scoring_elements 0.29713
published_at 2026-06-13T12:55:00Z
3
value 0.00113
scoring_system epss
scoring_elements 0.29698
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41901
1
reference_url https://github.com/thymeleaf/thymeleaf
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/thymeleaf/thymeleaf
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41901
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41901
3
reference_url https://github.com/advisories/GHSA-c9ph-gxww-7744
reference_id GHSA-c9ph-gxww-7744
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-c9ph-gxww-7744
4
reference_url https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-c9ph-gxww-7744
reference_id GHSA-c9ph-gxww-7744
reference_type
scores
0
value 9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-13T12:07:53Z/
url https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-c9ph-gxww-7744
fixed_packages
0
url pkg:maven/org.thymeleaf/thymeleaf@3.1.5
purl pkg:maven/org.thymeleaf/thymeleaf@3.1.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@3.1.5
1
url pkg:maven/org.thymeleaf/thymeleaf@3.1.5.RELEASE
purl pkg:maven/org.thymeleaf/thymeleaf@3.1.5.RELEASE
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@3.1.5.RELEASE
aliases CVE-2026-41901, GHSA-c9ph-gxww-7744
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ptk1-n6zn-9bbn
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@2.0.14