cbcvebase.
CVE-2026-40477
published 2026-04-17

CVE-2026-40477: Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability…

PriorityP262critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
EPSS
0.86%
54.0th percentile
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.

Affected

8 ranges
VendorProductVersion rangeFixed in
devspacesopenvsx-rhel9
devspacespluginregistry-rhel9
thymeleaforg.thymeleaf_thymeleaf-spring5< 3.1.4.RELEASE3.1.4.RELEASE
thymeleaforg.thymeleaf_thymeleaf-spring5
thymeleaforg.thymeleaf_thymeleaf-spring6< 3.1.4.RELEASE3.1.4.RELEASE
thymeleafthymeleaf< 3.1.4.RELEASE3.1.4.RELEASE
thymeleafthymeleaf< 3.1.43.1.4
thymeleafthymeleaf

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability class is Server-Side Template Injection (SSTI) via security bypass in Thymeleaf's expression execution mechanisms; monitor for unvalidated user input being passed directly to the Thymeleaf template engine
  • The bypass allows access to objects outside the intended scope from within a template; look for template expressions attempting to access sensitive/restricted Java objects at runtime
  • Affected packages across Red Hat products include thymeleaf, camel-thymeleaf, spring-boot-starter-thymeleaf, thymeleaf-spring5, thymeleaf-extras-java8time, vertx-web-templ-thymeleaf, and smallrye-mutiny-vertx-web-templ-thymeleaf; audit deployments for these artifacts at versions <= 3.1.3.RELEASE
  • ·No mitigation is currently available from Red Hat; the only fix is upgrading to Thymeleaf 3.1.4.RELEASE
  • ·The vulnerability is only exploitable when application developers pass unvalidated user input directly to the template engine; applications that sanitize or validate input before templating are at reduced risk

CVSS provenance

nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.