CVE-2026-41901 was publicly disclosed on May 12, 2026 with a CVSS score of 9. The vulnerability is a security bypass in Thymeleaf's expression execution layer: the engine fails to neutralize specific constructs, enabling server-side template injection (SSTI) when attacker-controlled variables are passed directly into templates without sanitization. In Java web applications, SSTI via Thymeleaf can typically be escalated to arbitrary remote code execution on the application server. Thymeleaf is widely used as the default view layer in Spring Boot applications, making the blast radius potentially broad across Java enterprise deployments. Applications that pass any user-supplied data into Thymeleaf template fragments — including fragment selectors, attribute values, or expression variables — without strict input validation are vulnerable. Developers should audit template rendering paths and apply available patches; mitigations include strict input escaping and avoiding dynamic template construction from user data.