CVE-2026-41901
Thymeleaf · Java Template Engine
A Server-Side Template Injection (SSTI) vulnerability in the Thymeleaf template engine allows for unauthorized expression execution when unsanitized input is processed in sandboxed contexts.
Executive summary
The Thymeleaf Java template engine is affected by a critical SSTI vulnerability that enables unauthorized expression execution when processing unsanitized user inputs.
Vulnerability
This is a Server-Side Template Injection (SSTI) vulnerability occurring within the expression execution mechanism. It occurs when application developers pass unsanitized variables into sandboxed template contexts, allowing an attacker to bypass security restrictions and execute arbitrary expressions.
Business impact
Successful exploitation of this vulnerability could lead to full remote code execution on the underlying server hosting the application. Given the CVSS score of 9.0, this represents a critical risk to data confidentiality, integrity, and system availability, potentially allowing attackers to compromise the entire application environment.
Remediation
Immediate Action: Upgrade the Thymeleaf library to version 3.1.5.RELEASE or later immediately to incorporate the necessary security neutralization fixes.
Proactive Monitoring: Inspect application logs for unusual template rendering patterns or attempts to inject expression language syntax into user-controllable input fields.
Compensating Controls: Implement strict input validation and sanitization policies for all data passed to template engines, and ensure the application runs with the principle of least privilege.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The severity of this SSTI vulnerability necessitates an immediate audit of all applications utilizing the Thymeleaf engine. Developers must prioritize updating to version 3.1.5.RELEASE to mitigate the risk of remote code execution and potential full system compromise.