Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.thymeleaf/thymeleaf@2.0.19
Typemaven
Namespaceorg.thymeleaf
Namethymeleaf
Version2.0.19
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.1.5.RELEASE
Latest_non_vulnerable_version3.1.5.RELEASE
Affected_by_vulnerabilities
0
url VCID-3ryv-gwe2-zydg
vulnerability_id VCID-3ryv-gwe2-zydg
summary thymeleaf: Thymeleaf: Server-Side Template Injection via expression execution bypass
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40478.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40478.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40478
reference_id
reference_type
scores
0
value 0.00055
scoring_system epss
scoring_elements 0.17594
published_at 2026-06-09T12:55:00Z
1
value 0.00055
scoring_system epss
scoring_elements 0.17693
published_at 2026-06-05T12:55:00Z
2
value 0.00055
scoring_system epss
scoring_elements 0.17687
published_at 2026-06-06T12:55:00Z
3
value 0.00055
scoring_system epss
scoring_elements 0.17655
published_at 2026-06-07T12:55:00Z
4
value 0.00055
scoring_system epss
scoring_elements 0.17577
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40478
2
reference_url https://github.com/thymeleaf/thymeleaf
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/thymeleaf/thymeleaf
3
reference_url https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-20T16:17:04Z/
url https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40478
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40478
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2459349
reference_id 2459349
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2459349
6
reference_url https://github.com/advisories/GHSA-xjw8-8c5c-9r79
reference_id GHSA-xjw8-8c5c-9r79
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xjw8-8c5c-9r79
7
reference_url https://access.redhat.com/errata/RHSA-2026:21772
reference_id RHSA-2026:21772
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:21772
fixed_packages
0
url pkg:maven/org.thymeleaf/thymeleaf@3.1.4
purl pkg:maven/org.thymeleaf/thymeleaf@3.1.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@3.1.4
1
url pkg:maven/org.thymeleaf/thymeleaf@3.1.4.RELEASE
purl pkg:maven/org.thymeleaf/thymeleaf@3.1.4.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8hc3-8tdw-yueg
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@3.1.4.RELEASE
aliases CVE-2026-40478, GHSA-xjw8-8c5c-9r79
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3ryv-gwe2-zydg
1
url VCID-8hc3-8tdw-yueg
vulnerability_id VCID-8hc3-8tdw-yueg
summary 
Sandboxed Thymeleaf expressions vulnerable to improper recognition of unauthorized syntax patterns
### Impact

A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.4.RELEASE. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI).

### Patches

This has been fixed in Thymeleaf 3.1.5.RELEASE. All users are advised to upgrade immediately.

### Workarounds

No workaround is available beyond ensuring applications do not pass unvalidated/unsanitized data directly to the template engine. Upgrading to 3.1.5.RELEASE is strongly recommended in any case.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41901
reference_id
reference_type
scores
0
value 0.00104
scoring_system epss
scoring_elements 0.27947
published_at 2026-06-05T12:55:00Z
1
value 0.00104
scoring_system epss
scoring_elements 0.27817
published_at 2026-06-09T12:55:00Z
2
value 0.00104
scoring_system epss
scoring_elements 0.27811
published_at 2026-06-08T12:55:00Z
3
value 0.00104
scoring_system epss
scoring_elements 0.27859
published_at 2026-06-07T12:55:00Z
4
value 0.00104
scoring_system epss
scoring_elements 0.27896
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41901
1
reference_url https://github.com/thymeleaf/thymeleaf
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/thymeleaf/thymeleaf
2
reference_url https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-c9ph-gxww-7744
reference_id
reference_type
scores
0
value 9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-13T12:07:53Z/
url https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-c9ph-gxww-7744
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41901
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41901
4
reference_url https://github.com/advisories/GHSA-c9ph-gxww-7744
reference_id GHSA-c9ph-gxww-7744
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-c9ph-gxww-7744
fixed_packages
0
url pkg:maven/org.thymeleaf/thymeleaf@3.1.5
purl pkg:maven/org.thymeleaf/thymeleaf@3.1.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@3.1.5
1
url pkg:maven/org.thymeleaf/thymeleaf@3.1.5.RELEASE
purl pkg:maven/org.thymeleaf/thymeleaf@3.1.5.RELEASE
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@3.1.5.RELEASE
aliases CVE-2026-41901, GHSA-c9ph-gxww-7744
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8hc3-8tdw-yueg
2
url VCID-9r94-dxdk-qkb9
vulnerability_id VCID-9r94-dxdk-qkb9
summary thymeleaf: Thymeleaf: Server-Side Template Injection via security bypass in expression execution
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40477.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40477.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40477
reference_id
reference_type
scores
0
value 0.00055
scoring_system epss
scoring_elements 0.17594
published_at 2026-06-09T12:55:00Z
1
value 0.00055
scoring_system epss
scoring_elements 0.17693
published_at 2026-06-05T12:55:00Z
2
value 0.00055
scoring_system epss
scoring_elements 0.17687
published_at 2026-06-06T12:55:00Z
3
value 0.00055
scoring_system epss
scoring_elements 0.17655
published_at 2026-06-07T12:55:00Z
4
value 0.00055
scoring_system epss
scoring_elements 0.17577
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40477
2
reference_url https://github.com/thymeleaf/thymeleaf
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/thymeleaf/thymeleaf
3
reference_url https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-20T13:23:45Z/
url https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40477
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40477
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2459344
reference_id 2459344
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2459344
6
reference_url https://github.com/advisories/GHSA-r4v4-5mwr-2fwr
reference_id GHSA-r4v4-5mwr-2fwr
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r4v4-5mwr-2fwr
7
reference_url https://access.redhat.com/errata/RHSA-2026:21772
reference_id RHSA-2026:21772
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:21772
fixed_packages
0
url pkg:maven/org.thymeleaf/thymeleaf@3.1.4
purl pkg:maven/org.thymeleaf/thymeleaf@3.1.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@3.1.4
1
url pkg:maven/org.thymeleaf/thymeleaf@3.1.4.RELEASE
purl pkg:maven/org.thymeleaf/thymeleaf@3.1.4.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8hc3-8tdw-yueg
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@3.1.4.RELEASE
aliases CVE-2026-40477, GHSA-r4v4-5mwr-2fwr
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9r94-dxdk-qkb9
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@2.0.19