Vulnerable Library - spring-boot-starter-thymeleaf-3.3.5.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.2.RELEASE/6030c7b4e260c41336f378e53da6e8531263f24b/thymeleaf-spring6-3.1.2.RELEASE.jar
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (spring-boot-starter-thymeleaf version) |
Remediation Possible** |
| CVE-2026-41901 |
 Critical |
9.0 |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
| CVE-2026-40478 |
Critical |
9.0 |
detected in multiple dependencies |
Transitive |
3.5.14 |
✅ |
| CVE-2026-40477 |
Critical |
9.0 |
detected in multiple dependencies |
Transitive |
3.5.14 |
✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-41901
Vulnerable Libraries - thymeleaf-3.1.2.RELEASE.jar, thymeleaf-spring6-3.1.2.RELEASE.jar
thymeleaf-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf/3.1.2.RELEASE/273997509a4c7aef86cee0521750140c587d9be2/thymeleaf-3.1.2.RELEASE.jar,/pom.xml
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-3.3.5.jar (Root Library)
- thymeleaf-spring6-3.1.2.RELEASE.jar
- ❌ thymeleaf-3.1.2.RELEASE.jar (Vulnerable Library)
thymeleaf-spring6-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.2.RELEASE/6030c7b4e260c41336f378e53da6e8531263f24b/thymeleaf-spring6-3.1.2.RELEASE.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-3.3.5.jar (Root Library)
- ❌ thymeleaf-spring6-3.1.2.RELEASE.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE.
Publish Date: 2026-05-12
URL: CVE-2026-41901
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-c9ph-gxww-7744
Release Date: 2026-05-05
Fix Resolution: org.thymeleaf:thymeleaf-spring6:3.1.5.RELEASE,org.thymeleaf:thymeleaf-spring5:3.1.5.RELEASE,org.thymeleaf:thymeleaf:3.1.5.RELEASE
CVE-2026-40478
Vulnerable Libraries - thymeleaf-spring6-3.1.2.RELEASE.jar, thymeleaf-3.1.2.RELEASE.jar
thymeleaf-spring6-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.2.RELEASE/6030c7b4e260c41336f378e53da6e8531263f24b/thymeleaf-spring6-3.1.2.RELEASE.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-3.3.5.jar (Root Library)
- ❌ thymeleaf-spring6-3.1.2.RELEASE.jar (Vulnerable Library)
thymeleaf-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf/3.1.2.RELEASE/273997509a4c7aef86cee0521750140c587d9be2/thymeleaf-3.1.2.RELEASE.jar,/pom.xml
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-3.3.5.jar (Root Library)
- thymeleaf-spring6-3.1.2.RELEASE.jar
- ❌ thymeleaf-3.1.2.RELEASE.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Publish Date: 2026-04-17
URL: CVE-2026-40478
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xjw8-8c5c-9r79
Release Date: 2026-04-17
Fix Resolution (org.thymeleaf:thymeleaf-spring6): 3.1.4.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.5.14
Fix Resolution (org.thymeleaf:thymeleaf): 3.1.4.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.5.14
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-40477
Vulnerable Libraries - thymeleaf-3.1.2.RELEASE.jar, thymeleaf-spring6-3.1.2.RELEASE.jar
thymeleaf-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf/3.1.2.RELEASE/273997509a4c7aef86cee0521750140c587d9be2/thymeleaf-3.1.2.RELEASE.jar,/pom.xml
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-3.3.5.jar (Root Library)
- thymeleaf-spring6-3.1.2.RELEASE.jar
- ❌ thymeleaf-3.1.2.RELEASE.jar (Vulnerable Library)
thymeleaf-spring6-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.2.RELEASE/6030c7b4e260c41336f378e53da6e8531263f24b/thymeleaf-spring6-3.1.2.RELEASE.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-3.3.5.jar (Root Library)
- ❌ thymeleaf-spring6-3.1.2.RELEASE.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Publish Date: 2026-04-17
URL: CVE-2026-40477
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r4v4-5mwr-2fwr
Release Date: 2026-04-17
Fix Resolution (org.thymeleaf:thymeleaf): 3.1.4.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.5.14
Fix Resolution (org.thymeleaf:thymeleaf-spring6): 3.1.4.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.5.14
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.2.RELEASE/6030c7b4e260c41336f378e53da6e8531263f24b/thymeleaf-spring6-3.1.2.RELEASE.jar
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Libraries - thymeleaf-3.1.2.RELEASE.jar, thymeleaf-spring6-3.1.2.RELEASE.jar
thymeleaf-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf/3.1.2.RELEASE/273997509a4c7aef86cee0521750140c587d9be2/thymeleaf-3.1.2.RELEASE.jar,/pom.xml
Dependency Hierarchy:
thymeleaf-spring6-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.2.RELEASE/6030c7b4e260c41336f378e53da6e8531263f24b/thymeleaf-spring6-3.1.2.RELEASE.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE.
Publish Date: 2026-05-12
URL: CVE-2026-41901
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-c9ph-gxww-7744
Release Date: 2026-05-05
Fix Resolution: org.thymeleaf:thymeleaf-spring6:3.1.5.RELEASE,org.thymeleaf:thymeleaf-spring5:3.1.5.RELEASE,org.thymeleaf:thymeleaf:3.1.5.RELEASE
Vulnerable Libraries - thymeleaf-spring6-3.1.2.RELEASE.jar, thymeleaf-3.1.2.RELEASE.jar
thymeleaf-spring6-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.2.RELEASE/6030c7b4e260c41336f378e53da6e8531263f24b/thymeleaf-spring6-3.1.2.RELEASE.jar
Dependency Hierarchy:
thymeleaf-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf/3.1.2.RELEASE/273997509a4c7aef86cee0521750140c587d9be2/thymeleaf-3.1.2.RELEASE.jar,/pom.xml
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Publish Date: 2026-04-17
URL: CVE-2026-40478
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xjw8-8c5c-9r79
Release Date: 2026-04-17
Fix Resolution (org.thymeleaf:thymeleaf-spring6): 3.1.4.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.5.14
Fix Resolution (org.thymeleaf:thymeleaf): 3.1.4.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.5.14
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Libraries - thymeleaf-3.1.2.RELEASE.jar, thymeleaf-spring6-3.1.2.RELEASE.jar
thymeleaf-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf/3.1.2.RELEASE/273997509a4c7aef86cee0521750140c587d9be2/thymeleaf-3.1.2.RELEASE.jar,/pom.xml
Dependency Hierarchy:
thymeleaf-spring6-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.2.RELEASE/6030c7b4e260c41336f378e53da6e8531263f24b/thymeleaf-spring6-3.1.2.RELEASE.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Publish Date: 2026-04-17
URL: CVE-2026-40477
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-r4v4-5mwr-2fwr
Release Date: 2026-04-17
Fix Resolution (org.thymeleaf:thymeleaf): 3.1.4.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.5.14
Fix Resolution (org.thymeleaf:thymeleaf-spring6): 3.1.4.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.5.14
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.