CVE-2026-41901: Critical Server-Side Template Injection in Thymeleaf
The National Vulnerability Database has disclosed CVE-2026-41901, a critical security bypass in Thymeleaf, a popular server-side Java template engine. Prior to version 3.1.5.RELEASE, Thymeleaf’s expression execution mechanisms contain a flaw that allows specific constructs to bypass its sandboxing protections. This means that even in contexts designed to restrict dangerous expressions, they can still be executed.
This vulnerability enables Server-Side Template Injection (SSTI) if an application developer passes unsanitized user-controlled variables containing these specific expressions into templates. The National Vulnerability Database assigns a CVSSv3.1 score of 9 (CRITICAL) to this flaw, highlighting the severe risk of remote code execution or data exfiltration if exploited. The issue is tracked under CWE-917 (Improper Neutralization of Special Elements used in an Expression Language Statement) and CWE-1336 (Improper Neutralization of Special Elements used in a Template Engine).
Attackers can leverage this to execute arbitrary code on the server, compromise data, or pivot further into the network. The fix is available in Thymeleaf version 3.1.5.RELEASE. This isn’t theoretical; SSTI vulnerabilities are actively exploited in the wild and provide a direct path to server compromise.
What This Means For You
- If your organization uses Thymeleaf, you need to immediately identify all instances running versions prior to 3.1.5.RELEASE. Prioritize patching to 3.1.5.RELEASE or later. Additionally, review application code for any instances where unsanitized user input is passed directly into Thymeleaf templates, especially in sandboxed contexts, as this creates the exploit vector for CVE-2026-41901.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41901: Thymeleaf SSTI Attempt via Expression Injection
title: CVE-2026-41901: Thymeleaf SSTI Attempt via Expression Injection
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-41901 by looking for common Thymeleaf expression syntax within the URI query string. This indicates a potential Server-Side Template Injection (SSTI) attempt where an attacker tries to inject malicious expressions into a sandboxed context.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41901/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '${'
- '#{'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41901 | Server-Side Template Injection | Thymeleaf versions prior to 3.1.5.RELEASE |
| CVE-2026-41901 | Security Bypass | Thymeleaf expression execution mechanisms |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 02:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Fuji Tellus Driver Grants All Users Kernel R/W: CVE-2026-8108
CVE-2026-8108 — The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.
MonsterInsights WordPress Plugin Exposes Google OAuth Tokens
CVE-2026-5371 — The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of...
ChurchCRM CVE-2026-44548: High-Severity CSRF Allows Silent Record Deletion
CVE-2026-44548 — ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php...