CVE Catalog

CVE-2026-40478

CriticalCVSS 9.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.78%

51th percentile — higher than 51% of all known CVEs

Summary

Thymeleaf versions up to 3.1.3.RELEASE contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides protections against expression injection, it fails to properly neutralize specific syntax patterns, allowing unauthorized expression execution. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass protections to achieve Server-Side Template Injection (SSTI).

Risk Assessment

The risk for the organization is that an unauthenticated remote attacker can execute unauthorized server-side expressions, potentially leading to data leakage, template modification, or further attack escalation in the production environment.

Recommendation

It is recommended to immediately upgrade Thymeleaf to version 3.1.4.RELEASE or later and implement validation of all user input before passing it to the template engine.

Original NVD description (English source)

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS