Sandboxed Thymeleaf expressions vulnerable to improper recognition of unauthorized syntax patterns — CVE-2026-41901

GitHub · GitHub · CVE-2026-41901

ID
CVE-2026-41901

Datum
2026-05-04

Aktualisiert
2026-05-13

Activity
2026-05-13

Quelle
GitHub

Vendor
GitHub

Risiko
critical

CVSS
9

EPSS
0.00079

Zusammenfassung

### Impact A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.4.RELEASE. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application…

Produkt

maven: org.thymeleaf:thymeleaf | maven: org.thymeleaf:thymeleaf-spring5 | maven: org.thymeleaf:thymeleaf-spring6

Was tun?

Allgemeine, vorsichtige Schritte (bitte prüfe die offizielle Quelle für Details):

Priorisiere sofort Patches oder Mitigations (hohes akutes Risiko).
Identifiziere betroffene Produktversionen und prüfe, ob du betroffen bist.
Spiele Hersteller-Updates/Patches ein oder setze empfohlene Mitigations um.
Lies das offizielle Advisory für betroffene Versionen und konkrete Schritte.

Offizielles Advisory

Mehr dazu

GitHub GitHub 2026-W20

Sandboxed Thymeleaf expressions vulnerable to improper recognition of unauthorized syntax patterns — CVE-2026-41901

Zusammenfassung

Produkt

Was tun?

Offizielles Advisory

Mehr dazu

Assisted Installer RHEL 8 components for Multicluster Engine for Kubernetes 2.6.11

Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.6.11

Authlib: Cross-site request forging when using cache

AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion

Important: firefox security update

Important: gimp:2.8 security update