Search criteria
12 vulnerabilities found for thymeleaf by thymeleaf
CVE-2026-41901 (GCVE-0-2026-41901)
Vulnerability from nvd – Published: 2026-05-12 22:35 – Updated: 2026-05-13 12:08
VLAI
Title
Thymeleaf: Improper recognition of unauthorized syntax patterns in sandboxed Thymeleaf expressions
Summary
Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE.
Severity
9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/thymeleaf/thymeleaf/security/a… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41901",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T12:07:53.448371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:08:38.767Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "thymeleaf",
"vendor": "thymeleaf",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.5.RELEASE"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T22:35:50.617Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-c9ph-gxww-7744",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-c9ph-gxww-7744"
}
],
"source": {
"advisory": "GHSA-c9ph-gxww-7744",
"discovery": "UNKNOWN"
},
"title": "Thymeleaf: Improper recognition of unauthorized syntax patterns in sandboxed Thymeleaf expressions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41901",
"datePublished": "2026-05-12T22:35:50.617Z",
"dateReserved": "2026-04-22T15:11:54.672Z",
"dateUpdated": "2026-05-13T12:08:38.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40478 (GCVE-0-2026-40478)
Vulnerability from nvd – Published: 2026-04-17 21:57 – Updated: 2026-04-22 03:55
VLAI
Title
Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf
Summary
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/thymeleaf/thymeleaf/security/a… | x_refsource_CONFIRM |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| thymeleaf | thymeleaf |
Affected:
< 3.1.4.RELEASE
|
|
| thymeleaf | org.thymeleaf:thymeleaf-spring5 |
Affected:
< 3.1.4.RELEASE
|
|
| thymeleaf | org.thymeleaf:thymeleaf-spring6 |
Affected:
< 3.1.4.RELEASE
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40478",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T03:55:42.682Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "thymeleaf",
"vendor": "thymeleaf",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.4.RELEASE"
}
]
},
{
"product": "org.thymeleaf:thymeleaf-spring5",
"vendor": "thymeleaf",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.4.RELEASE"
}
]
},
{
"product": "org.thymeleaf:thymeleaf-spring6",
"vendor": "thymeleaf",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.4.RELEASE"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library\u0027s protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T21:57:01.560Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79"
}
],
"source": {
"advisory": "GHSA-xjw8-8c5c-9r79",
"discovery": "UNKNOWN"
},
"title": "Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40478",
"datePublished": "2026-04-17T21:57:01.560Z",
"dateReserved": "2026-04-13T19:50:42.113Z",
"dateUpdated": "2026-04-22T03:55:42.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40477 (GCVE-0-2026-40477)
Vulnerability from nvd – Published: 2026-04-17 21:53 – Updated: 2026-04-22 03:55
VLAI
Title
Improper restriction of the scope of accessible objects in Thymeleaf expressions
Summary
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/thymeleaf/thymeleaf/security/a… | x_refsource_CONFIRM |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| thymeleaf | thymeleaf |
Affected:
< 3.1.4.RELEASE
|
|
| thymeleaf | org.thymeleaf:thymeleaf-spring5 |
Affected:
< 3.1.4.RELEASE
|
|
| thymeleaf | org.thymeleaf:thymeleaf-spring6 |
Affected:
< 3.1.4.RELEASE
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40477",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T03:55:41.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "thymeleaf",
"vendor": "thymeleaf",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.4.RELEASE"
}
]
},
{
"product": "org.thymeleaf:thymeleaf-spring5",
"vendor": "thymeleaf",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.4.RELEASE"
}
]
},
{
"product": "org.thymeleaf:thymeleaf-spring6",
"vendor": "thymeleaf",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.4.RELEASE"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library\u0027s protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T21:53:47.271Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr"
}
],
"source": {
"advisory": "GHSA-r4v4-5mwr-2fwr",
"discovery": "UNKNOWN"
},
"title": "Improper restriction of the scope of accessible objects in Thymeleaf expressions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40477",
"datePublished": "2026-04-17T21:53:47.271Z",
"dateReserved": "2026-04-13T19:50:42.113Z",
"dateUpdated": "2026-04-22T03:55:41.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-38286 (GCVE-0-2023-38286)
Vulnerability from nvd – Published: 2023-07-14 00:00 – Updated: 2024-10-30 16:01
VLAI
Summary
Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
Severity
No CVSS data available.
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:39:12.103Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/p1n93r/SpringBootAdmin-thymeleaf-SSTI"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38286",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-30T16:00:59.004384Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T16:01:10.933Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-14T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/p1n93r/SpringBootAdmin-thymeleaf-SSTI"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-38286",
"datePublished": "2023-07-14T00:00:00.000Z",
"dateReserved": "2023-07-14T00:00:00.000Z",
"dateUpdated": "2024-10-30T16:01:10.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43466 (GCVE-0-2021-43466)
Vulnerability from nvd – Published: 2021-11-09 00:00 – Updated: 2024-08-04 03:55
VLAI
Summary
In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:55:29.288Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://gitee.com/wayne_wwang/wayne_wwang/blob/master/2021/10/31/ruoyi+thymeleaf-rce/index.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://vuldb.com/?id.186365"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221014-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://gitee.com/wayne_wwang/wayne_wwang/blob/master/2021/10/31/ruoyi+thymeleaf-rce/index.html"
},
{
"url": "https://vuldb.com/?id.186365"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221014-0001/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43466",
"datePublished": "2021-11-09T00:00:00.000Z",
"dateReserved": "2021-11-08T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:55:29.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-41901 (GCVE-0-2026-41901)
Vulnerability from cvelistv5 – Published: 2026-05-12 22:35 – Updated: 2026-05-13 12:08
VLAI
Title
Thymeleaf: Improper recognition of unauthorized syntax patterns in sandboxed Thymeleaf expressions
Summary
Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE.
Severity
9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/thymeleaf/thymeleaf/security/a… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41901",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T12:07:53.448371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:08:38.767Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "thymeleaf",
"vendor": "thymeleaf",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.5.RELEASE"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T22:35:50.617Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-c9ph-gxww-7744",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-c9ph-gxww-7744"
}
],
"source": {
"advisory": "GHSA-c9ph-gxww-7744",
"discovery": "UNKNOWN"
},
"title": "Thymeleaf: Improper recognition of unauthorized syntax patterns in sandboxed Thymeleaf expressions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41901",
"datePublished": "2026-05-12T22:35:50.617Z",
"dateReserved": "2026-04-22T15:11:54.672Z",
"dateUpdated": "2026-05-13T12:08:38.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40478 (GCVE-0-2026-40478)
Vulnerability from cvelistv5 – Published: 2026-04-17 21:57 – Updated: 2026-04-22 03:55
VLAI
Title
Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf
Summary
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/thymeleaf/thymeleaf/security/a… | x_refsource_CONFIRM |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| thymeleaf | thymeleaf |
Affected:
< 3.1.4.RELEASE
|
|
| thymeleaf | org.thymeleaf:thymeleaf-spring5 |
Affected:
< 3.1.4.RELEASE
|
|
| thymeleaf | org.thymeleaf:thymeleaf-spring6 |
Affected:
< 3.1.4.RELEASE
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40478",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T03:55:42.682Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "thymeleaf",
"vendor": "thymeleaf",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.4.RELEASE"
}
]
},
{
"product": "org.thymeleaf:thymeleaf-spring5",
"vendor": "thymeleaf",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.4.RELEASE"
}
]
},
{
"product": "org.thymeleaf:thymeleaf-spring6",
"vendor": "thymeleaf",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.4.RELEASE"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library\u0027s protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T21:57:01.560Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79"
}
],
"source": {
"advisory": "GHSA-xjw8-8c5c-9r79",
"discovery": "UNKNOWN"
},
"title": "Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40478",
"datePublished": "2026-04-17T21:57:01.560Z",
"dateReserved": "2026-04-13T19:50:42.113Z",
"dateUpdated": "2026-04-22T03:55:42.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40477 (GCVE-0-2026-40477)
Vulnerability from cvelistv5 – Published: 2026-04-17 21:53 – Updated: 2026-04-22 03:55
VLAI
Title
Improper restriction of the scope of accessible objects in Thymeleaf expressions
Summary
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/thymeleaf/thymeleaf/security/a… | x_refsource_CONFIRM |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| thymeleaf | thymeleaf |
Affected:
< 3.1.4.RELEASE
|
|
| thymeleaf | org.thymeleaf:thymeleaf-spring5 |
Affected:
< 3.1.4.RELEASE
|
|
| thymeleaf | org.thymeleaf:thymeleaf-spring6 |
Affected:
< 3.1.4.RELEASE
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40477",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T03:55:41.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "thymeleaf",
"vendor": "thymeleaf",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.4.RELEASE"
}
]
},
{
"product": "org.thymeleaf:thymeleaf-spring5",
"vendor": "thymeleaf",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.4.RELEASE"
}
]
},
{
"product": "org.thymeleaf:thymeleaf-spring6",
"vendor": "thymeleaf",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.4.RELEASE"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library\u0027s protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T21:53:47.271Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr"
}
],
"source": {
"advisory": "GHSA-r4v4-5mwr-2fwr",
"discovery": "UNKNOWN"
},
"title": "Improper restriction of the scope of accessible objects in Thymeleaf expressions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40477",
"datePublished": "2026-04-17T21:53:47.271Z",
"dateReserved": "2026-04-13T19:50:42.113Z",
"dateUpdated": "2026-04-22T03:55:41.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-38286 (GCVE-0-2023-38286)
Vulnerability from cvelistv5 – Published: 2023-07-14 00:00 – Updated: 2024-10-30 16:01
VLAI
Summary
Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
Severity
No CVSS data available.
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:39:12.103Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/p1n93r/SpringBootAdmin-thymeleaf-SSTI"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38286",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-30T16:00:59.004384Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T16:01:10.933Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-14T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/p1n93r/SpringBootAdmin-thymeleaf-SSTI"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-38286",
"datePublished": "2023-07-14T00:00:00.000Z",
"dateReserved": "2023-07-14T00:00:00.000Z",
"dateUpdated": "2024-10-30T16:01:10.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43466 (GCVE-0-2021-43466)
Vulnerability from cvelistv5 – Published: 2021-11-09 00:00 – Updated: 2024-08-04 03:55
VLAI
Summary
In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:55:29.288Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://gitee.com/wayne_wwang/wayne_wwang/blob/master/2021/10/31/ruoyi+thymeleaf-rce/index.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://vuldb.com/?id.186365"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221014-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://gitee.com/wayne_wwang/wayne_wwang/blob/master/2021/10/31/ruoyi+thymeleaf-rce/index.html"
},
{
"url": "https://vuldb.com/?id.186365"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221014-0001/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43466",
"datePublished": "2021-11-09T00:00:00.000Z",
"dateReserved": "2021-11-08T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:55:29.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2023-38286
Vulnerability from fkie_nvd - Published: 2023-07-14 05:15 - Updated: 2024-11-21 08:13
Severity
Summary
Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| codecentric | spring_boot_admin | * | |
| thymeleaf | thymeleaf | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:codecentric:spring_boot_admin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "07383771-7F5A-4810-89D7-FFF8AF7A63BB",
"versionEndIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:thymeleaf:thymeleaf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2DA50950-9EC5-4064-AE20-D210B4562F91",
"versionEndIncluding": "3.1.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI."
}
],
"id": "CVE-2023-38286",
"lastModified": "2024-11-21T08:13:13.970",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-14T05:15:09.627",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://github.com/p1n93r/SpringBootAdmin-thymeleaf-SSTI"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://github.com/p1n93r/SpringBootAdmin-thymeleaf-SSTI"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-43466
Vulnerability from fkie_nvd - Published: 2021-11-09 12:15 - Updated: 2024-11-21 06:29
Severity
Summary
In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://gitee.com/wayne_wwang/wayne_wwang/blob/master/2021/10/31/ruoyi+thymeleaf-rce/index.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://security.netapp.com/advisory/ntap-20221014-0001/ | Third Party Advisory | |
| cve@mitre.org | https://vuldb.com/?id.186365 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gitee.com/wayne_wwang/wayne_wwang/blob/master/2021/10/31/ruoyi+thymeleaf-rce/index.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20221014-0001/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.186365 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thymeleaf:thymeleaf:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A9697B72-8324-4B85-954B-423E147D90B6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution."
},
{
"lang": "es",
"value": "En el componente thymeleaf-spring versi\u00f3n 5.3.0.12, thymeleaf combinado con escenarios espec\u00edficos en la inyecci\u00f3n de plantillas puede conllevar a una ejecuci\u00f3n de c\u00f3digo remota"
}
],
"id": "CVE-2021-43466",
"lastModified": "2024-11-21T06:29:17.087",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-09T12:15:10.693",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gitee.com/wayne_wwang/wayne_wwang/blob/master/2021/10/31/ruoyi+thymeleaf-rce/index.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20221014-0001/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.186365"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gitee.com/wayne_wwang/wayne_wwang/blob/master/2021/10/31/ruoyi+thymeleaf-rce/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20221014-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.186365"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}