CVE-2026-40477 — Expression Language Injection in Org.thymeleaf Thymeleaf-spring5

CWE-917 — Expression Language Injection CWE-1336 — Improper Neutralization of Special Elements Used in a Template Engine3 documents3 sources

Severity

9.0CRITICALNVD

EPSS

0.1%

top 67.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Thymeleaf Org.thymeleaf Thymeleaf-spring5 Thymeleaf Org.thymeleaf Thymeleaf-spring6 Thymeleaf

Timeline

PublishedApr 17

Latest updateApr 18

Description

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the templ…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 2.2 | Impact: 6.0

Affected Packages3 packages

▶CVEListV5thymeleaf/thymeleaf< 3.1.4.RELEASE

▶CVEListV5thymeleaf/org.thymeleaf_thymeleaf-spring5< 3.1.4.RELEASE

▶CVEListV5thymeleaf/org.thymeleaf_thymeleaf-spring6< 3.1.4.RELEASE

🔴Vulnerability Details

VulDB

thymeleaf/thymeleaf-spring5/thymeleaf-spring6 up to 3.1.3 expression language injection (GHSA-r4v4-5mwr-2fwr)↗2026-04-18

▶

GHSA

Improper restriction of the scope of accessible objects in Thymeleaf expressions↗2026-04-15

▶