Vulnerability Report

CVE-2026-41901

Title: Server-Side Template Injection (SSTI) via Security Bypass

Other

Proof Of Concept

PoC Available for CVE-2026-41901

CWE Category CWE-917
Published Date May 12, 2026
Modified Date May 13, 2026
Exploit Status Available
Score 9.0 CVSS v3.1
Exploit Probability (EPSS)
0.33%

Vulnerability Summary

CVE-2026-41901: Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE.

Impacted Vendors

Analysis in Progress...

Reference Links

https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-c9ph-gxww-7744
CVSS v3.1
Source Entity [email protected]
Severity CRITICAL
9.0
Attack Vector
NETWORK
Complexity
HIGH
Privileges
N/A
Interaction
NONE
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
CHANGED
RAW VECTOR CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2026-41901 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/HORKimhab/CVE-2026-41901
View Code
MODIFIED

Vulnerability data updated via NVD.

MODIFIED

Vulnerability data updated via NVD.

Attack Vector Matrix

Access Vector NETWORK
Complexity HIGH
Privileges N/A
Interaction NONE
CVSS Vector String CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected Stack

No specific products linked.