{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/thymeleaf--3.1.4.release/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["thymeleaf (\u003c= 3.1.4.RELEASE)","thymeleaf-spring5 (\u003c= 3.1.4.RELEASE)","thymeleaf-spring6 (\u003c= 3.1.4.RELEASE)"],"_cs_severities":["critical"],"_cs_tags":["ssti","template-injection","thymeleaf","cve-2026-41901"],"_cs_type":"advisory","_cs_vendors":["org.thymeleaf"],"content_html":"\u003cp\u003eA critical security vulnerability, CVE-2026-41901, has been identified in Thymeleaf, a Java template engine, affecting versions up to and including 3.1.4.RELEASE. This vulnerability allows for Server-Side Template Injection (SSTI) due to the improper neutralization of specific syntax patterns within sandboxed expression execution. Specifically, the library fails to properly sanitize certain constructs, allowing potentially dangerous expressions to be executed even within supposedly restricted contexts. This poses a significant risk if application developers pass unsanitized variables to the template engine and these variables are then utilized in sandboxed areas within the templates. Successful exploitation can lead to arbitrary code execution on the server. All users of affected versions are strongly advised to upgrade to version 3.1.5.RELEASE as soon as possible.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application using a vulnerable version of Thymeleaf (\u0026lt;= 3.1.4.RELEASE).\u003c/li\u003e\n\u003cli\u003eThe attacker locates a template within the application that uses Thymeleaf\u0026rsquo;s expression evaluation within a sandboxed context.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an input field or parameter that passes data to the Thymeleaf template engine.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing a Thymeleaf expression designed to bypass the sandbox restrictions. This payload may utilize specific syntax patterns not properly neutralized by the vulnerable Thymeleaf version.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the crafted payload into the identified input field.\u003c/li\u003e\n\u003cli\u003eThe application processes the attacker-controlled input via the Thymeleaf template engine.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the malicious Thymeleaf expression is executed despite the intended sandboxing.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the server, potentially gaining full control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41901 can lead to complete system compromise. An attacker could potentially execute arbitrary code, install malware, steal sensitive data, or disrupt application services. The vulnerability affects any application using Thymeleaf versions up to 3.1.4.RELEASE, potentially impacting numerous organizations across various sectors. The lack of proper input sanitization is the root cause, which can be difficult to identify and mitigate without patching the underlying Thymeleaf library.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Thymeleaf to version 3.1.5.RELEASE or later to patch CVE-2026-41901.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not feasible, review and sanitize all data passed to the Thymeleaf template engine to prevent the injection of malicious expressions. However, this workaround is not a complete solution and upgrading is strongly recommended.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Thymeleaf Template Injection Attempts\u0026rdquo; to identify potential exploitation attempts in web server logs, focusing on HTTP requests containing suspicious patterns related to Thymeleaf expressions.\u003c/li\u003e\n\u003cli\u003eEnable verbose logging on your web servers to capture detailed information about HTTP requests and responses, which can aid in identifying and investigating potential template injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-thymeleaf-ssti/","summary":"A server-side template injection vulnerability exists in Thymeleaf versions up to 3.1.4.RELEASE due to improper neutralization of specific constructs, allowing the execution of potentially dangerous expressions in sandboxed contexts if unsanitized variables are passed to the template engine.","title":"Thymeleaf Server-Side Template Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-03-thymeleaf-ssti/"}],"language":"en","title":"CraftedSignal Threat Feed — Thymeleaf (\u003c= 3.1.4.RELEASE)","version":"https://jsonfeed.org/version/1.1"}