Thank you for your collaboration keeping Thymeleaf safe and secure. If you believe you have found a security issue in Thymeleaf, please notify us so that we can work with you in its prompt resolution.
- Let us know as soon as possible by sending an email to security@thymeleaf.org.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. Especially, do not create a GitHub issue ticket yourself talking about the vulnerability. We may publicly disclose the issue before resolving it, but only if appropriate.
We will credit the reporter of a confirmed vulnerability in the GitHub ticket created for publishing it (typically once it is fixed).
We reserve the right to consider out of the scope of Thymeleaf's security:
- Developer bad practices and inadequate uses of Thymeleaf that effectively create the vulnerability in the applications being developed with Thymeleaf.
- Attacks requiring physical access to the machine Thymeleaf is running on.
- Issues in Thymeleaf's software dependencies which can be reported to these dependencies' maintainers.
- 3.1.x is the current development line. This version is not recommended for production use yet.
- 3.0.x is the latest production line (GA as of May 2016) and is under active support.
- 2.1.x and previous versions are no longer supported. No further maintenance and security patches are planned in those lines.
At this point, we recommend upgrading to the latest Thymeleaf 3.0.x release.