CVE Catalog

CVE-2026-40477

CriticalCVSS 9.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.86%

54th percentile — higher than 54% of all known CVEs

Summary

Thymeleaf versions up to 3.1.3.RELEASE contain a security bypass vulnerability in the expression execution mechanisms. The library fails to properly restrict the scope of accessible objects, allowing an unauthenticated remote attacker to achieve Server-Side Template Injection (SSTI) by passing unvalidated user input to the template engine.

Risk Assessment

The risk involves potential remote code execution by an unauthenticated attacker, which could lead to server compromise, data theft, or further escalation within the infrastructure.

Recommendation

Immediately update Thymeleaf to version 3.1.4.RELEASE or later. Additionally, validate and sanitize all user input passed to the template engine.

Original NVD description (English source)

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS