https://www.endorlabs.com/learn/its-about-thyme-how-a-whitespace-character-broke-thymeleafs-expression-sandbox-cve-2026-40478
It's About Thyme: How a Whitespace Character Broke Thymeleaf's Expression Sandbox (CVE-2026-40478)...
A critical Thymeleaf sandbox bypass lets attackers run arbitrary code in Spring apps. Here's how it works, what's at risk, and how to fix it.
thymewhitespacecharacterbrokeexpression
https://www.thymeleaf.org/
Thymeleaf
thymeleaf
https://www.csoonline.com/article/4160520/critical-sandbox-bypass-fixed-in-popular-thymeleaf-java-template-engine.html
Critical sandbox bypass fixed in popular Thymeleaf Java template engine | CSO Online
Apr 17, 2026 - The 9.1-CVSS vulnerability enables attackers to circumvent RCE protections in the de facto template engine for the Java Spring ecosystem.
cso onlinecriticalsandboxbypassfixed
https://fusionauth.io:443/docs/get-started/quickstarts/web/quickstart-java-springboot-web
Spring Boot With Thymeleaf | FusionAuth Docs
Quickstart integration of a Spring Boot web application using Thymeleaf with FusionAuth.
spring bootthymeleaffusionauthdocs