Vendor
Thymeleaf versions up to 3.1.3.RELEASE are vulnerable to server-side template injection (SSTI) due to improper neutralization of specific syntax patterns, allowing attackers to execute unauthorized expressions when unvalidated user input is passed directly to the template engine.