External risk intelligence

Attacker could gain admin control of Java apps using Thymeleaf by injecting malicious code.

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-41901

Java applications using Thymeleaf are at risk from a security bypass vulnerability that could allow attackers to inject malicious code and gain control. This affects widely deployed web applications that process user input.

4Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-41901

Thymeleaf is a Java template engine integrated into web applications to dynamically render pages. Because these applications are frequently exposed to the internet to process user input through web forms or APIs, the library is commonly deployed in public-facing web environments where unsanitized user data is handled, leading to a high likelihood of internet reachability.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A security bypass vulnerability in the Thymeleaf Java template engine allows for Server-Side Template Injection (SSTI). This means an attacker could potentially execute arbitrary code on the server if unsanitized input is processed within specific sandboxed contexts in templates.

  • Sensitive data exposure is possible.
  • Affects applications using Thymeleaf.
  • Requires the template to use unsanitized variables.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by submitting specially crafted input to a web application that uses an affected version of Thymeleaf. If the application developer passes unsanitized user-supplied data containing malicious expressions into a sandboxed context within the templates, the attacker's code can be executed on the server, leading to a complete compromise.

  • Publicly accessible web applications
  • User input processing
  • Unsannitized variable input

Live Threat

Current exploitation, exposure, and threat context

The vulnerability in Thymeleaf's expression execution allows for Server-Side Template Injection, a serious concern given Thymeleaf's widespread use in web applications. Attackers favor this type of vulnerability because it can lead to remote code execution, offering significant control over compromised systems.

  • Exploitation is possible via unsanitized input.
  • No public exploit code is currently observed.
  • The fix is recent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching systems using Thymeleaf versions earlier than 3.1.5.RELEASE to address the Server-Side Template Injection vulnerability. If immediate patching is not feasible, implement strict input validation and sanitization on all variables passed to the template engine, especially in sandboxed contexts, and monitor traffic for suspicious expression patterns.

  • Patch to 3.1.5.RELEASE.
  • Sanitize unsanitized variables.
  • Monitor for SSTI activity.

Frequently asked questions

What is Thymeleaf and its role in web development?

Thymeleaf is a Java-based, server-side template engine widely used in web applications and standalone environments. It enables developers to dynamically generate web pages by processing templates with variable data, integrating seamlessly with frameworks like Spring.

What type of weakness does CVE-2026-41901 represent?

CVE-2026-41901 is a Server-Side Template Injection (SSTI) vulnerability. This weakness stems from Thymeleaf's failure to properly neutralize specific expression constructs within sandboxed contexts, potentially allowing unintended code execution.

How can an attacker exploit the Thymeleaf SSTI vulnerability?

An attacker could exploit this by submitting crafted input to a web application using an affected Thymeleaf version. If unsanitized user data containing malicious expressions is used in sandboxed template contexts, the attacker's code could be executed on the server.

What is the relevance of this Thymeleaf vulnerability in the current threat landscape?

Thymeleaf's widespread use in web applications makes this SSTI vulnerability a significant concern. Attackers can leverage it for remote code execution, granting them substantial control over compromised systems. While no public exploit code is currently observed, the vulnerability is classified as critical and its fix is recent.

What steps should be taken to respond to this Thymeleaf vulnerability?

The primary response is to update Thymeleaf to version 3.1.5.RELEASE or later. If immediate patching isn't possible, implement rigorous input validation and sanitization for all variables passed to the template engine, especially within sandboxed areas, and actively monitor network traffic for suspicious expression patterns.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified