CSO Online

Critical sandbox bypass fixed in popular Thymeleaf Java template engine

The 9.1-CVSS vulnerability enables attackers to circumvent RCE protections in the de facto template engine for the Java ...
Ars Technica

Yet another Java flaw allows “complete” bypass of security sandbox

Eh, the issues are just deeper. XHTML at least is properly formed, which is useful. Otherwise it is the same old story. Presentation and structure inexplicably mixed. Too high level, ...