best.skn:skn-spring-mail (>=1.0.0 <=2.4.0), ca.uhn.hapi.fhir:hapi-fhir-cli-api (>=7.0.0 <=8.8.1) +751 more potentially affected by CVE-2026-41901 via org.thymeleaf:thymeleaf-spring6 (>=3.1.0.M1 <=3.1.4.RELEASE)

org.thymeleaf:thymeleaf-spring6 MAVEN version =3.1.0.M1, =1.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.6.0, =7.6.0, =7.0.0, =7.0.0, =8.8.1 and more Source cves: CVE-2026-41901 Source advisory: OSV:GHSA-C9PH-GXWW-7744...

ai.hyacinth.framework:core-service-admin-server (>=0.5.0 <=0.5.24), am.ik.home:uaa-server (>=1.0.0 <=1.9.0) +3237 more potentially affected by CVE-2026-41901 via org.thymeleaf:thymeleaf (>=m1 <=3.1.4.RELEASE)

org.thymeleaf:thymeleaf MAVEN version =m1, =0.5.0, =1.0.0, =0.9.6, =0.9.6, =1.0.0, =0.0.1, =1.0.0, =1.0, =3.4.0, =5.6.5, =4.1.0, =6.4.7 and more Source cves: CVE-2026-41901 Source advisory: OSV:GHSA-C9PH-GXWW-7744...

CVE-2026-40477

A flaw was found in Thymeleaf, a server-side Java template engine. An unauthenticated remote attacker can exploit a security bypass vulnerability in the expression execution mechanisms. By providing unvalidated user input directly to the template engine, the attacker can bypass the library's...

ai.hyacinth.framework:core-service-admin-server (>=0.5.0 <=0.5.24), au.com.cybernostics:theme-tree (=0.9.0) +2936 more potentially affected by CVE-2026-40478 via org.thymeleaf:thymeleaf (>=3.0.0.ALPHA01 <=3.1.3.RELEASE)

org.thymeleaf:thymeleaf MAVEN version =3.0.0.ALPHA01, =0.5.0, =0.9.6, =0.9.6, =1.0.0, =0.0.1, =1.0.0, =1.0, =3.4.0, =5.6.5, =4.1.0, =4.1.0, =3.6.0, =5.0.0, =5.5.7 and more Source cves: CVE-2026-40478 Source advisory: SNYK:JAVA-ORGTHYMELEAF-16078379...

ai.hyacinth.framework:core-service-admin-server (>=0.5.0 <=0.5.24), am.ik.home:uaa-server (>=1.0.0 <=1.9.0) +3237 more potentially affected by CVE-2026-40477 via org.thymeleaf:thymeleaf (>=m1 <=3.1.3.RELEASE)

org.thymeleaf:thymeleaf MAVEN version =m1, =0.5.0, =1.0.0, =0.9.6, =0.9.6, =1.0.0, =0.0.1, =1.0.0, =1.0, =3.4.0, =5.6.5, =4.1.0, =6.4.7 and more Source cves: CVE-2026-40477 Source advisory: OSV:GHSA-R4V4-5MWR-2FWR...

ai.hyacinth.framework:core-service-admin-server (>=0.5.0 <=0.5.24), au.com.cybernostics:theme-tree (=0.9.0) +2936 more potentially affected by CVE-2026-40477 via org.thymeleaf:thymeleaf (>=3.0.0.ALPHA01 <=3.1.3.RELEASE)

org.thymeleaf:thymeleaf MAVEN version =3.0.0.ALPHA01, =0.5.0, =0.9.6, =0.9.6, =1.0.0, =0.0.1, =1.0.0, =1.0, =3.4.0, =5.6.5, =4.1.0, =4.1.0, =3.6.0, =5.0.0, =5.5.7 and more Source cves: CVE-2026-40477 Source advisory: SNYK:JAVA-ORGTHYMELEAF-16078372...

CVE-2023-38286

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin aka Spring Boot Admin through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI Server Side Template Injection and code execution in spring-boot-admin if MailNotifier is enabled and there i...