Thymeleaf, a server-side Java template engine, contains a security bypass vulnerability in versions 3.1.3.RELEASE and prior. The vulnerability exists in the expression execution mechanisms where the library fails to properly neutralize specific syntax patterns. This allows unauthenticated remote attackers to bypass protections and achieve Server-Side Template Injection (SSTI) when developers pass unvalidated user input directly to the template engine. The issue affects web and standalone environments and has been fixed in version 3.1.4.RELEASE.