CVE-2026-40478

CRITICAL 9.1

Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf

CVSS Score

9.1

EPSS Score

0.0%

EPSS Percentile

0th

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.

CWE	CWE-917 CWE-1336
Vendor	thymeleaf
Product	thymeleaf
Published	Apr 17, 2026

Stay Ahead of the Next One

Get instant alerts for thymeleaf thymeleaf

Be the first to know when new critical vulnerabilities affecting thymeleaf thymeleaf are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

thymeleaf / thymeleaf

< 3.1.4.RELEASE

thymeleaf / org.thymeleaf:thymeleaf-spring5

< 3.1.4.RELEASE

thymeleaf / org.thymeleaf:thymeleaf-spring6

< 3.1.4.RELEASE

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79