CVE-2026-40478

CVE-2026-40478 affects the Thymeleaf Java template engine (versions up to 3.1.3.RELEASE). A security bypass allows unauthenticated SSTI by passing unvalidated input to the expression evaluation mechanism; this is fixed in 3.1.4.RELEASE. Connected sources consistently state the root cause as impro...

CVE-2021-43466

CVE-2021-43466 affects thymeleaf-spring5, specifically the 3.0.12 release, where template injection in Thymeleaf can lead to remote code execution. The vulnerability is tied to thymeleaf-spring5 usage and template rendering scenarios that enable code execution. Remediation in the provided docs re...

CVE-2023-38286

Thymeleaf 3.1.1.RELEASE (used in Spring Boot Admin up to 3.1.1) is affected by a sandbox bypass via crafted HTML, enabling potential SSTI and code execution if MailNotifier is enabled with write access to environment variables in the UI. Affected products: Thymeleaf 3.1.1.RELEASE and Spring Boot ...

CVE-2026-40477

Thymeleaf (Java template engine) versions up to 3.1.3.RELEASE are affected by an SSTI vulnerability in expression execution, where unvalidated user input can bypass protections and access potentially sensitive objects within a template. This is a security bypass allowing unauthenticated remote ex...