Strix
26.1K

CVE-2026-41901

CRITICALCVSS 9/10EPSS 0.43%

Last modified

CVE-2026-41901 is a critical-severity vulnerability rated 9/10 on the CVSS scale. Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. EPSS estimates a 0.43% chance of exploitation in the next 30 days.

Description

Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE.

Metrics

CVSS 3.1
9/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Probability
0.43%

34.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

References

Timeline

Published
Last Modified
Status
Deferred

Frequently Asked Questions

What is CVE-2026-41901?
Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE.
How severe is CVE-2026-41901?
CVE-2026-41901 has a CVSS score of 9/10 (CRITICAL severity). The EPSS model estimates a 0.43% probability of exploitation in the next 30 days.
How do I fix CVE-2026-41901?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-41901?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST