Server-Side Template Injection in Thymeleaf by Thymeleaf
CVE-2026-41901

9CRITICAL

Key Information:

Vendor: Thymeleaf
Status: Thymeleaf
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-41901?

CVE-2026-41901 is a server-side template injection (SSTI) vulnerability found in the Thymeleaf Java template engine, a widely used framework designed for rendering web pages and processing templates in Java applications. This vulnerability stems from a flaw in the expression execution mechanisms of Thymeleaf, specifically for versions prior to 3.1.5.RELEASE. The issue allows unsanitized variables containing dangerous expressions to be passed into the template engine, which can lead to the execution of these expressions in sandboxed contexts. If exploited, this can allow attackers to execute arbitrary code on the server, resulting in unauthorized access and control over the affected system. Given Thymeleaf's integration in various web applications, this vulnerability could present serious security risks to organizations relying on it for their web services.

Potential Impact of CVE-2026-41901

Remote Code Execution: The primary risk associated with this vulnerability is the potential for remote code execution, allowing attackers to gain control of the server running the Thymeleaf engine. This could lead to further exploitation of the environment, data breaches, or service disruptions.
Data Exposure: By exploiting this vulnerability, malicious actors could access sensitive data stored within the web application or the underlying database. This exposure could result in significant financial and reputational damage to organizations.
Increased Attack Surface: The presence of this vulnerability in a widely used template engine can lead to a broader attack surface, as numerous applications might be impacted. As a result, threat actors may prioritize exploitation for more extensive compromises or coordinated attacks against multiple organizations.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

This is an advertDeploy the Patch

Affected Version(s)

thymeleaf < 3.1.5.RELEASE

References

https://github.com/thymeleaf/thymeleaf/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41901 Data

JSON

Thymeleaf

What is CVE-2026-41901?

Potential Impact of CVE-2026-41901

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.