org.thymeleaf:thymeleaf-spring6 3.1.0.RELEASE

Direct Vulnerabilities

Known vulnerabilities in the org.thymeleaf:thymeleaf-spring6 package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Expression Language Injection Affected versions of this package are vulnerable to Expression Language Injection when dynamically loading classes, which allows server-side template injection that crosses the intended sandbox boundary. An attacker can execute unauthorized expressions with the privileges of the server by injecting malicious input into unsanitized variables used in sandboxed template contexts. This bypasses the `isTypeForbidden()` check to access `StandardTypeLocator` directly. How to fix Expression Language Injection? Upgrade `org.thymeleaf:thymeleaf-spring6` to version 3.1.5.RELEASE or higher.	[,3.1.5.RELEASE)
C Template Injection Affected versions of this package are vulnerable to Template Injection due to the `TemplateEngine`'s improper invalidation of certain syntactic patterns during expression evaluation. An attacker can inject into sensitive objects to execute unauthorized actions. How to fix Template Injection? Upgrade `org.thymeleaf:thymeleaf-spring6` to version 3.1.4.RELEASE or higher.	[,3.1.4.RELEASE)
C Template Injection Affected versions of this package are vulnerable to Template Injection due to the `TemplateEngine`'s improper restriction of accessible object scope during expression evaluation. An attacker can inject into sensitive objects to execute unauthorized actions. How to fix Template Injection? Upgrade `org.thymeleaf:thymeleaf-spring6` to version 3.1.4.RELEASE or higher.	[,3.1.4.RELEASE)

Vulnerability

Vulnerable Version

Expression Language Injection

Affected versions of this package are vulnerable to Expression Language Injection when dynamically loading classes, which allows server-side template injection that crosses the intended sandbox boundary. An attacker can execute unauthorized expressions with the privileges of the server by injecting malicious input into unsanitized variables used in sandboxed template contexts. This bypasses the isTypeForbidden() check to access StandardTypeLocator directly.

How to fix Expression Language Injection?

Upgrade org.thymeleaf:thymeleaf-spring6 to version 3.1.5.RELEASE or higher.

[,3.1.5.RELEASE)

Template Injection

Affected versions of this package are vulnerable to Template Injection due to the TemplateEngine's improper invalidation of certain syntactic patterns during expression evaluation. An attacker can inject into sensitive objects to execute unauthorized actions.

How to fix Template Injection?

Upgrade org.thymeleaf:thymeleaf-spring6 to version 3.1.4.RELEASE or higher.

[,3.1.4.RELEASE)

Template Injection

Affected versions of this package are vulnerable to Template Injection due to the TemplateEngine's improper restriction of accessible object scope during expression evaluation. An attacker can inject into sensitive objects to execute unauthorized actions.

How to fix Template Injection?

Upgrade org.thymeleaf:thymeleaf-spring6 to version 3.1.4.RELEASE or higher.

[,3.1.4.RELEASE)

org.thymeleaf:thymeleaf-spring6@3.1.0.RELEASE

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically