CVE-2026-40477
published 2026-04-17CVE-2026-40477: Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability…
PriorityP262critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
EPSS
0.86%
54.0th percentile
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devspaces | openvsx-rhel9 | — | — |
| devspaces | pluginregistry-rhel9 | — | — |
| thymeleaf | org.thymeleaf_thymeleaf-spring5 | < 3.1.4.RELEASE | 3.1.4.RELEASE |
| thymeleaf | org.thymeleaf_thymeleaf-spring5 | — | — |
| thymeleaf | org.thymeleaf_thymeleaf-spring6 | < 3.1.4.RELEASE | 3.1.4.RELEASE |
| thymeleaf | thymeleaf | < 3.1.4.RELEASE | 3.1.4.RELEASE |
| thymeleaf | thymeleaf | < 3.1.4 | 3.1.4 |
| thymeleaf | thymeleaf | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability class is Server-Side Template Injection (SSTI) via security bypass in Thymeleaf's expression execution mechanisms; monitor for unvalidated user input being passed directly to the Thymeleaf template engine ↗
- →The bypass allows access to objects outside the intended scope from within a template; look for template expressions attempting to access sensitive/restricted Java objects at runtime ↗
- →Affected packages across Red Hat products include thymeleaf, camel-thymeleaf, spring-boot-starter-thymeleaf, thymeleaf-spring5, thymeleaf-extras-java8time, vertx-web-templ-thymeleaf, and smallrye-mutiny-vertx-web-templ-thymeleaf; audit deployments for these artifacts at versions <= 3.1.3.RELEASE ↗
- ·No mitigation is currently available from Red Hat; the only fix is upgrading to Thymeleaf 3.1.4.RELEASE ↗
- ·The vulnerability is only exploitable when application developers pass unvalidated user input directly to the template engine; applications that sanitize or validate input before templating are at reduced risk ↗
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
thymeleaf/thymeleaf-spring5/thymeleaf-spring6 up to 3.1.3 expression language injection (GHSA-r4v4-5mwr-2fwr)
vuldb·2026-04-18·CVSS 9.0
CVE-2026-40477 [CRITICAL] thymeleaf/thymeleaf-spring5/thymeleaf-spring6 up to 3.1.3 expression language injection (GHSA-r4v4-5mwr-2fwr)
A vulnerability identified as problematic has been detected in thymeleaf, thymeleaf-spring5 and thymeleaf-spring6 up to 3.1.3. This affects an unknown function. The manipulation leads to improper neutralization of special elements used in an expression language statement.
This vulnerability is uniquely identified as CVE-2026-40477. The attack is possible to be carried out remotely. No exploit exists.
You should upgrade the affected component.
GHSA
Improper restriction of the scope of accessible objects in Thymeleaf expressions
ghsa·2026-04-15
CVE-2026-40477 [CRITICAL] CWE-1336 Improper restriction of the scope of accessible objects in Thymeleaf expressions
Improper restriction of the scope of accessible objects in Thymeleaf expressions
### Impact
A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI).
### Patches
This has been fixed in Thymeleaf 3.1.4.RELEASE.
### Workarounds
No workaround is available beyond ensuring applications do not pass
Red Hat
thymeleaf: Thymeleaf: Server-Side Template Injection via security bypass in expression execution
vendor_redhat·2026-04-17·CVSS 9.0
CVE-2026-40477 [CRITICAL] CWE-917 thymeleaf: Thymeleaf: Server-Side Template Injection via security bypass in expression execution
thymeleaf: Thymeleaf: Server-Side Template Injection via security bypass in expression execution
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
A flaw was found
No detection rules found.
No public exploits indexed.
https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwrhttps://access.redhat.com/errata/RHSA-2026:21772https://access.redhat.com/security/cve/CVE-2026-40477https://bugzilla.redhat.com/show_bug.cgi?id=2459344https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40477.json
2026-04-17
Published