CVE-2026-41901

Name of the Vulnerable Software and Affected Versions Thymeleaf versions prior to 3.1.5.RELEASE

Description A security bypass exists in the expression execution mechanisms of Thymeleaf. The library fails to properly neutralize specific constructs within sandboxed (restricted) contexts, allowing unsafe template expressions to execute. If an application developer passes unsanitized variables to the template engine and these values are used in sandboxed contexts, it can lead to Server-Side Template Injection (SSTI), where an attacker can execute arbitrary code on the server.

Recommendations Update to version 3.1.5.RELEASE. Ensure applications do not pass unvalidated or unsanitized data directly to the template engine.