Thymeleaf CVE-2026-41901 enables SSTI

Java template engines are supposed to turn data into HTML, emails, and documents — not execute attacker logic. That boundary is exactly what broke in Thymeleaf with CVE-2026-41901. The bug is a sandbox bypass in Thymeleaf’s expression engine, and in the wrong app it can turn “safe enough” restricted template handling into full server-side template injection. GitHub published the advisory on April 29, 2026, and Thymeleaf’s current fixed release is 3.1.5.RELEASE. (github.com) ### What actually broke? The flaw is not “Thymeleaf runs arbitrary code by default.” The bug is narrower — and that’s why it’s easy to misunderstand. Thymeleaf has restricted contexts where dangerous expressions are supposed to be blocked, but the advisory says the engine fails to properly neutralize certain syntax patterns, which lets unauthorized expressions slip through the sandbox. In (github.com)can step around it. (github.com) ### Why does that become SSTI? SSTI happens when attacker-controlled input gets treated as template code instead of plain data. If an application lets users influence template fragments, expression bodies, or dynamically built views, Thymeleaf may end up evaluating something the developer thought was constrained. This bug matters because it weakens the “restricted” part of that setup. The (github.com)— the library bug opens the door, but the app has to hand the attacker the handle. That last point is an inference from the advisory language about sandboxed contexts. (github.com) ### Which versions are affected? The GitHub advisory says Thymeleaf is affected up to and including 3.1.4.RELEASE. The Thymeleaf download page lists 3.1.5.RELEASE as the latest version, with a release date of April 12, 2026, and that is the fixed version tied to the advisory. So if a production service still runs 3.1.4.RELEASE or older, it is in the affected range. (github.com)e execution? Potentially, but not automatically. The advisory describes unauthorized expression execution, not guaranteed one-shot RCE in every deployment. Whether that turns into code execution, data exposure, or a smaller sandbox escape depends on what expression features the app exposes, what objects are reachable from templates, and how the surrounding framework i(github.com)adius is app-specific. (github.com) ### Why are Spring teams paying attention? Because Thymeleaf is common in Java web stacks, especially alongside Spring MVC and Spring Boot. A lot of teams use it safely for normal server-rendered pages. But any code path that mixes user input with template construction, custom dialects, or restricted-expression assumptions deserves a hard review now. The vulnerability is in `org.thymeleaf: (github.com)ch it once advisories sync. (github.com) ### What should teams do now? Upgrade to 3.1.5.RELEASE first. Then audit for places where untrusted input can influence template source, fragment names, or expression content. Also treat “sandboxed” Thymeleaf usage as suspect until reviewed, because that is the specific trust boundary the advisory says failed. If immediate patching is blocked, the best short-term move is to remove or l(github.com 1) (github.com 2) ### How urgent is this? Urgent enough that teams should treat it as an active patch item, not a backlog cleanup. GitHub marks the advisory critical, and sandbox escapes in template engines have a habit of becoming much worse once researchers and attackers start trading payload ideas. Even if your app never lets users submit templates directly, indirect paths — admin customization tools, CM(github.com)al. (github.com) ### Bottom line? This is a Thymeleaf sandbox bypass with SSTI implications, not a vague “Java is broken” story. If your app uses Thymeleaf, patch to 3.1.5.RELEASE and review every place where template behavior depends on untrusted input. (github.com)