CVE-2026-40478
published 2026-04-17CVE-2026-40478: Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability…
PriorityP262critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
EPSS
0.78%
51.2th percentile
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devspaces | openvsx-rhel9 | — | — |
| devspaces | pluginregistry-rhel9 | — | — |
| thymeleaf | org.thymeleaf_thymeleaf-spring5 | < 3.1.4.RELEASE | 3.1.4.RELEASE |
| thymeleaf | org.thymeleaf_thymeleaf-spring5 | — | — |
| thymeleaf | org.thymeleaf_thymeleaf-spring6 | < 3.1.4.RELEASE | 3.1.4.RELEASE |
| thymeleaf | thymeleaf | < 3.1.4.RELEASE | 3.1.4.RELEASE |
| thymeleaf | thymeleaf | < 3.1.4 | 3.1.4 |
| thymeleaf | thymeleaf | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability class is Server-Side Template Injection (SSTI) via expression execution bypass in Thymeleaf; detect unvalidated user input being passed directly to the Thymeleaf template engine, particularly inputs containing template expression syntax (e.g., ${...}, *{...}, #{...}, @{...}, ~{...}) ↗
- →Affected versions are Thymeleaf 3.1.3.RELEASE and prior; flag use of these versions in dependency manifests (pom.xml, gradle files) as a detection/inventory signal ↗
- →Monitor affected packages across Red Hat ecosystems: thymeleaf, camel-thymeleaf, spring-boot-starter-thymeleaf, thymeleaf-spring5, thymeleaf-extras-java8time, smallrye-mutiny-vertx-web-templ-thymeleaf, vertx-web-templ-thymeleaf — presence of these in Red Hat JBoss EAP 7/8, Red Hat Fuse 7, Red Hat SSO 7, and Red Hat OpenShift Dev Spaces indicates exposure ↗
- ·The vulnerability is only exploitable when application developers pass unvalidated user input directly to the Thymeleaf template engine; applications that properly validate and sanitize user input before template processing are not affected ↗
- ·Fixed version is 3.1.4.RELEASE; environments still running 3.1.3.RELEASE or earlier remain vulnerable regardless of other controls ↗
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
thymeleaf: Thymeleaf: Server-Side Template Injection via expression execution bypass
vendor_redhat·2026-04-17·CVSS 9.0
CVE-2026-40478 [CRITICAL] CWE-917 thymeleaf: Thymeleaf: Server-Side Template Injection via expression execution bypass
thymeleaf: Thymeleaf: Server-Side Template Injection via expression execution bypass
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
A flaw was found in Thymeleaf, a server-side Java template
VulDB
thymeleaf/thymeleaf-spring5/thymeleaf-spring6 up to 3.1.3 expression language injection (GHSA-xjw8-8c5c-9r79)
vuldb·2026-04-18·CVSS 9.0
CVE-2026-40478 [CRITICAL] thymeleaf/thymeleaf-spring5/thymeleaf-spring6 up to 3.1.3 expression language injection (GHSA-xjw8-8c5c-9r79)
A vulnerability labeled as problematic has been found in thymeleaf, thymeleaf-spring5 and thymeleaf-spring6 up to 3.1.3. This impacts an unknown function. The manipulation results in improper neutralization of special elements used in an expression language statement.
This vulnerability was named CVE-2026-40478. The attack may be performed from remote. There is no available exploit.
The affected component should be upgraded.
GHSA
Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf
ghsa·2026-04-15
CVE-2026-40478 [CRITICAL] CWE-1336 Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf
Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf
### Impact
A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI).
### Patches
This has been fixed in Thymeleaf 3.1.4.RELEASE.
### Workarounds
No workaround is available beyond ensuring applications do not pass unvalidated user inp
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-40478 thymeleaf: Thymeleaf: Server-Side Template Injection via expression execution bypass
bugzilla·2026-04-17·CVSS 9.0
CVE-2026-40478 [CRITICAL] CVE-2026-40478 thymeleaf: Thymeleaf: Server-Side Template Injection via expression execution bypass
CVE-2026-40478 thymeleaf: Thymeleaf: Server-Side Template Injection via expression execution bypass
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Hackernews
⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
blogs_hackernews·2026-04-20
CVE-2026-20184 ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Monday’s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code. Even update channels are used to push payloads. It’s not breaking systems—it’s bending trust.
There’s also a shift in how attacks run. Slower check-ins, multi-stage payloads, andmore code kept in memory. Attackers lean on real tools and normal workflows instead of custom builds. Some cas
https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79https://access.redhat.com/errata/RHSA-2026:21772https://access.redhat.com/security/cve/CVE-2026-40478https://bugzilla.redhat.com/show_bug.cgi?id=2459349https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40478.json
2026-04-17
Published