Maven package
org.thymeleaf/thymeleaf-spring5
pkg:maven/org.thymeleaf/thymeleaf-spring5
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41901 | Cri | 9.0 | < 3.1.5.RELEASE | 3.1.5.RELEASE | May 12, 2026 | Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially | |
| CVE-2026-40478 | Cri | 9.0 | < 3.1.4.RELEASE | 3.1.4.RELEASE | Apr 17, 2026 | Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it f | |
| CVE-2026-40477 | Cri | 9.0 | < 3.1.4.RELEASE | 3.1.4.RELEASE | Apr 17, 2026 | Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails | |
| CVE-2021-43466 | — | < 3.0.13.RELEASE | 3.0.13.RELEASE | Nov 9, 2021 | In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution. |
- affected < 3.1.5.RELEASEfixed 3.1.5.RELEASE
Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially
- affected < 3.1.4.RELEASEfixed 3.1.4.RELEASE
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it f
- affected < 3.1.4.RELEASEfixed 3.1.4.RELEASE
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails
- CVE-2021-43466Nov 9, 2021affected < 3.0.13.RELEASEfixed 3.0.13.RELEASE
In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.