Skip to main content
Components
Vulnerabilities
Pricing
MCP
API
Docs
Sign up
Login
Find vulnerabilities. Fix fast with AI.
Search components by package, version, or CVE to get started.
org.thymeleaf/thymeleaf-spring5 3.0.11.REL… | Sonatype Guide
Get full component data and automated fixes with Sonatype Guide.
Sign up for free
maven
org.thymeleaf
thymeleaf-spring5
3.0.11.RELEASE
thymeleaf-spring5 3.0.11.RELEASE
org.thymeleaf
Published
Oct 28, 2018
•
Policy
compliance
maven Registry
Developer Trust Score
Recommended Version:
x.y.z
Recommended upgrade that meets your policy.
Compare Versions
Overview
Overview
Versions
24
Versions
24
Vulnerabilities
4
Vulnerabilities
4
Dependencies
2
Dependencies
2
Severity
Critical
(4)
High
(0)
Medium
(0)
Low
(0)
CVSS Score
0.0
10.0
EPSS Score
0.0
1.0
Malware
KEV Status
Published
Filter
Sort: Published (Newest first)
9.0
CVE-2026-41901
Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE.
affected
Severity
Critical
Published
May 5, 2026
9.0
CVE-2026-40477
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
affected
Severity
Critical
Published
Apr 16, 2026
9.0
CVE-2026-40478
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
affected
Severity
Critical
Published
Apr 16, 2026
9.8
CVE-2021-43466
In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.
affected
Severity
Critical
Published
Nov 15, 2021
