CVE-2026-40478
CriticalCVSS 9.0Exploitation Probability (EPSS)
Elevated risk51th percentile — higher than 51% of all known CVEs
Summary
Thymeleaf versions up to 3.1.3.RELEASE contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides protections against expression injection, it fails to properly neutralize specific syntax patterns, allowing unauthorized expression execution. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass protections to achieve Server-Side Template Injection (SSTI).
Risk Assessment
The risk for the organization is that an unauthenticated remote attacker can execute unauthorized server-side expressions, potentially leading to data leakage, template modification, or further attack escalation in the production environment.
Recommendation
It is recommended to immediately upgrade Thymeleaf to version 3.1.4.RELEASE or later and implement validation of all user input before passing it to the template engine.
Original NVD description (English source)
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.

