CVE-2026-41901

CRITICAL LAB

Thymeleaf: Improper recognition of unauthorized syntax patterns in sandboxed Thymeleaf expressions

Title source: cna

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-41901. PoCs published by dwisiswant0, HORKimhab.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-41901, a critical SSTI vulnerability in Thymeleaf <= 3.1.4.RELEASE. The exploit leverages a case-sensitivity bypass in SpEL type reference detection to achieve remote code execution.

Description

Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE.

Exploits (2)

github WORKING POC 1 stars

by dwisiswant0 · pythonpoc

https://github.com/dwisiswant0/neo-pocs/tree/master/2026/CVE-2026-41901

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-41901, a critical SSTI vulnerability in Thymeleaf <= 3.1.4.RELEASE. The exploit leverages a case-sensitivity bypass in SpEL type reference detection to achieve remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Thymeleaf <= 3.1.4.RELEASE

No auth needed

Prerequisites: Thymeleaf application with user-controlled input in templates

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 14, 2026 Full analysis →

github WORKING POC

by HORKimhab · shellpoc

https://github.com/HORKimhab/CVE-2026-41901

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-41901, demonstrating remote command execution (RCE) in a Thymeleaf application via SpEL injection. The exploit includes a Docker-based lab setup and a script to execute arbitrary commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Thymeleaf 3.1.4.RELEASE with Spring Boot 3.2.0

No auth needed

Prerequisites: Docker · curl · vulnerable Thymeleaf version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 23, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-c9ph-gxww-7744

Scores

CVSS v3 9.0

EPSS 0.0010

EPSS Percentile 28.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull eclipse-temurin:17-jre

https://github.com/dwisiswant0/neo-pocs

https://github.com/HORKimhab/CVE-2026-41901

View in Library

Details

CWE

CWE-1336 CWE-917

Status published

Products (4)

org.thymeleaf/thymeleaf 0 - 3.1.5.RELEASEMaven

org.thymeleaf/thymeleaf-spring5 0 - 3.1.5.RELEASEMaven

org.thymeleaf/thymeleaf-spring6 0 - 3.1.5.RELEASEMaven

thymeleaf/thymeleaf < 3.1.5.RELEASE

Published May 12, 2026

Tracked Since May 13, 2026