Sandboxed Thymeleaf expressions vulnerable to improper recognition of unauthorized syntax patterns — CVE-2026-41901

GitHub · GitHub · CVE-2026-41901

ID
CVE-2026-41901

Date
2026-05-04

Updated
2026-05-13

Activity
2026-05-13

Source
GitHub

Vendor
GitHub

Threat
critical

CVSS
9

EPSS
0.00079

Summary

### Impact A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.4.RELEASE. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application…

Product

maven: org.thymeleaf:thymeleaf | maven: org.thymeleaf:thymeleaf-spring5 | maven: org.thymeleaf:thymeleaf-spring6

What to do

General, cautious steps (verify details in the official source):

Prioritize patching or mitigation immediately (treat as actively risky).
Identify affected product versions in your inventory and verify whether you are impacted.
Apply vendor patches/updates or recommended mitigations as soon as available.
Read the official advisory for exact affected versions and remediation steps.

Official advisory

Related advisories

GitHub GitHub 2026-W20

Sandboxed Thymeleaf expressions vulnerable to improper recognition of unauthorized syntax patterns — CVE-2026-41901

Summary

Product

What to do

Official advisory

Related advisories

Assisted Installer RHEL 8 components for Multicluster Engine for Kubernetes 2.6.11

Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.6.11

Authlib: Cross-site request forging when using cache

AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion

Important: firefox security update

Important: gimp:2.8 security update