What is the CVSS score of CVE-2026-41901?

CVE-2026-41901 has a CVSS 3.1 base score of 9.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Thymeleaf are affected by CVE-2026-41901?

Thymeleaf versions 3.1.4 and earlier contain a server-side template injection vulnerability enabling remote code execution when applications pass unsanitized user input to template contexts.. A patch is available.

Thymeleaf CVE-2026-41901

CRITICAL

Improper Neutralization of Special Elements used in an Expression Language Statement (CWE-917)

2026-05-04 https://github.com/thymeleaf/thymeleaf

GHSA-c9ph-gxww-7744

Authentication Bypass

9.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

May 04, 2026 - 21:45 vuln.today

Analysis Generated

May 04, 2026 - 21:45 vuln.today

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

282 maven packages depend on org.thymeleaf:thymeleaf (38 direct, 244 indirect)
3 maven packages depend on org.thymeleaf:thymeleaf-spring5 (3 direct, 0 indirect)
484 maven packages depend on org.thymeleaf:thymeleaf-spring6 (20 direct, 466 indirect)

Ecosystem-wide dependent count for version 3.1.5.RELEASE and other introduced versions.

DescriptionNVD

Impact

A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.4.RELEASE. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI).

Patches

This has been fixed in Thymeleaf 3.1.5.RELEASE. All users are advised to upgrade immediately.

Workarounds

No workaround is available beyond ensuring applications do not pass unvalidated/unsanitized data directly to the template engine. Upgrading to 3.1.5.RELEASE is strongly recommended in any case.

AnalysisAI

Server-Side Template Injection (SSTI) in Thymeleaf 3.1.4.RELEASE and earlier allows remote attackers to execute arbitrary code via specially crafted expressions that bypass the template engine's sandbox restrictions. Applications passing unsanitized user input to sandboxed template contexts are vulnerable to full server compromise. …

RemediationAI

Within 24 hours: Inventory all applications using Thymeleaf 3.1.4.RELEASE or earlier and assess which accept user input in template contexts. Within 7 days: Upgrade affected systems to Thymeleaf 3.1.5.RELEASE and redeploy applications. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41901 vulnerability details – vuln.today

Back

Thymeleaf CVE-2026-41901

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

Impact

Patches

Workarounds

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code