<0.1% probability · 15.8th percentile — 2026-05-12
Affected versions
Thymeleaf 3.1.3.RELEASE and all prior versions
Summary
Thymeleaf is an extremely widely used server-side Java template engine for web applications. The library fails to properly restrict the scope of accessible objects during template processing, allowing attackers to bypass existing expression injection protections. If an application passes unvalidated user input directly to the template engine, unauthenticated remote attackers can achieve SSTI, which commonly leads to full remote code execution. The issue is fixed in version 3.1.4.RELEASE.
Remediation
Development teams and organizations running applications with affected Thymeleaf versions should immediately upgrade to the fixed version 3.1.4.RELEASE. As a temporary mitigation if upgrade is delayed, avoid passing unvalidated user input directly to the template engine.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.