GHSA-c9ph-gxww-7744

Source

https://github.com/advisories/GHSA-c9ph-gxww-7744

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-c9ph-gxww-7744/GHSA-c9ph-gxww-7744.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c9ph-gxww-7744

Aliases

CVE-2026-41901

Published

2026-05-04T21:15:20Z

Modified

2026-05-13T17:02:46.716315Z

Severity

9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Sandboxed Thymeleaf expressions vulnerable to improper recognition of unauthorized syntax patterns

Details

Impact

A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.4.RELEASE. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI).

Patches

This has been fixed in Thymeleaf 3.1.5.RELEASE. All users are advised to upgrade immediately.

Workarounds

No workaround is available beyond ensuring applications do not pass unvalidated/unsanitized data directly to the template engine. Upgrading to 3.1.5.RELEASE is strongly recommended in any case.

Database specific

{
    "github_reviewed_at": "2026-05-04T21:15:20Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-1336",
        "CWE-917"
    ],
    "nvd_published_at": "2026-05-12T23:16:17Z",
    "severity": "CRITICAL"
}

References

Affected packages

Maven / org.thymeleaf:thymeleaf

Package

Name: org.thymeleaf:thymeleaf; View open source insights on deps.dev
Purl: pkg:maven/org.thymeleaf/thymeleaf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.5.RELEASE

Affected versions

Other

1.*

1.0.0-beta1

1.0.0-beta2

1.0.0-beta3

1.0.0-beta4

1.0.0-beta5

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

2.*

2.0.0-beta1

2.0.0-beta2

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.18

2.0.19

2.0.20

2.0.21

2.1.0-beta1

2.1.0-beta2

2.1.0-m1

2.1.0-m2

2.1.0-m3

2.1.0.RELEASE

2.1.1.RELEASE

2.1.2.RELEASE

2.1.3.RELEASE

2.1.4.RELEASE

2.1.5.RELEASE

2.1.6.RELEASE

3.*

3.0.0.ALPHA01

3.0.0.ALPHA02

3.0.0.ALPHA03

3.0.0.BETA01

3.0.0.BETA02

3.0.0.BETA03

3.0.0.RELEASE

3.0.1.RELEASE

3.0.2.RELEASE

3.0.3.RELEASE

3.0.4.RELEASE

3.0.5.RELEASE

3.0.6.RELEASE

3.0.7.RELEASE

3.0.8.RELEASE

3.0.9.RELEASE

3.0.10.RELEASE

3.0.11.RELEASE

3.0.12.RELEASE

3.0.13.RELEASE

3.0.14.RELEASE

3.0.15.RELEASE

3.1.0.M1

3.1.0.M2

3.1.0.M3

3.1.0.RC1

3.1.0.RC2

3.1.0.RELEASE

3.1.1.RELEASE

3.1.2.RELEASE

3.1.3.RELEASE

3.1.4.RELEASE

Database specific

last_known_affected_version_range

"<= 3.1.4.RELEASE"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-c9ph-gxww-7744/GHSA-c9ph-gxww-7744.json"

Maven / org.thymeleaf:thymeleaf-spring5

Package

Name: org.thymeleaf:thymeleaf-spring5; View open source insights on deps.dev
Purl: pkg:maven/org.thymeleaf/thymeleaf-spring5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.5.RELEASE

Affected versions

3.*

3.0.3.M1

3.0.4.M2

3.0.5.M3

3.0.6.M4

3.0.7.RC1

3.0.8.RELEASE

3.0.9.RELEASE

3.0.10.RELEASE

3.0.11.RELEASE

3.0.12.RELEASE

3.0.13.RELEASE

3.0.14.RELEASE

3.0.15.RELEASE

3.1.0.M1

3.1.0.M2

3.1.0.M3

3.1.0.RC1

3.1.0.RC2

3.1.0.RELEASE

3.1.1.RELEASE

3.1.2.RELEASE

3.1.3.RELEASE

3.1.4.RELEASE

Database specific

last_known_affected_version_range

"<= 3.1.4.RELEASE"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-c9ph-gxww-7744/GHSA-c9ph-gxww-7744.json"

Maven / org.thymeleaf:thymeleaf-spring6

Package

Name: org.thymeleaf:thymeleaf-spring6; View open source insights on deps.dev
Purl: pkg:maven/org.thymeleaf/thymeleaf-spring6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.5.RELEASE

Affected versions

3.*

3.1.0.M1

3.1.0.M2

3.1.0.M3

3.1.0.RC1

3.1.0.RC2

3.1.0.RELEASE

3.1.1.RELEASE

3.1.2.RELEASE

3.1.3.RELEASE

3.1.4.RELEASE

Database specific

last_known_affected_version_range

"<= 3.1.4.RELEASE"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-c9ph-gxww-7744/GHSA-c9ph-gxww-7744.json"