CVE-2026-40477

CRITICAL 9.1

Improper restriction of the scope of accessible objects in Thymeleaf expressions

CVSS Score

9.1

EPSS Score

0.0%

EPSS Percentile

0th

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.

CWE	CWE-917 CWE-1336
Vendor	thymeleaf
Product	thymeleaf
Published	Apr 17, 2026

Stay Ahead of the Next One

Get instant alerts for thymeleaf thymeleaf

Be the first to know when new critical vulnerabilities affecting thymeleaf thymeleaf are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

thymeleaf / thymeleaf

< 3.1.4.RELEASE

thymeleaf / org.thymeleaf:thymeleaf-spring5

< 3.1.4.RELEASE

thymeleaf / org.thymeleaf:thymeleaf-spring6

< 3.1.4.RELEASE

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr