cbcvebase.
CVE-2026-40478
published 2026-04-17

CVE-2026-40478: Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability…

PriorityP262critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
EPSS
0.78%
51.2th percentile
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.

Affected

8 ranges
VendorProductVersion rangeFixed in
devspacesopenvsx-rhel9
devspacespluginregistry-rhel9
thymeleaforg.thymeleaf_thymeleaf-spring5< 3.1.4.RELEASE3.1.4.RELEASE
thymeleaforg.thymeleaf_thymeleaf-spring5
thymeleaforg.thymeleaf_thymeleaf-spring6< 3.1.4.RELEASE3.1.4.RELEASE
thymeleafthymeleaf< 3.1.4.RELEASE3.1.4.RELEASE
thymeleafthymeleaf< 3.1.43.1.4
thymeleafthymeleaf

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability class is Server-Side Template Injection (SSTI) via expression execution bypass in Thymeleaf; detect unvalidated user input being passed directly to the Thymeleaf template engine, particularly inputs containing template expression syntax (e.g., ${...}, *{...}, #{...}, @{...}, ~{...})
  • Affected versions are Thymeleaf 3.1.3.RELEASE and prior; flag use of these versions in dependency manifests (pom.xml, gradle files) as a detection/inventory signal
  • Monitor affected packages across Red Hat ecosystems: thymeleaf, camel-thymeleaf, spring-boot-starter-thymeleaf, thymeleaf-spring5, thymeleaf-extras-java8time, smallrye-mutiny-vertx-web-templ-thymeleaf, vertx-web-templ-thymeleaf — presence of these in Red Hat JBoss EAP 7/8, Red Hat Fuse 7, Red Hat SSO 7, and Red Hat OpenShift Dev Spaces indicates exposure
  • ·The vulnerability is only exploitable when application developers pass unvalidated user input directly to the Thymeleaf template engine; applications that properly validate and sanitize user input before template processing are not affected
  • ·Fixed version is 3.1.4.RELEASE; environments still running 3.1.3.RELEASE or earlier remain vulnerable regardless of other controls

CVSS provenance

nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.