CVE-2026-40478 — Expression Language Injection in Org.thymeleaf Thymeleaf-spring5

CWE-917 — Expression Language Injection CWE-1336 — Improper Neutralization of Special Elements Used in a Template Engine3 documents3 sources

Severity

9.0CRITICALNVD

EPSS

0.1%

top 67.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Thymeleaf Org.thymeleaf Thymeleaf-spring5 Thymeleaf Org.thymeleaf Thymeleaf-spring6 Thymeleaf

Timeline

PublishedApr 17

Latest updateApr 18

Description

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 2.2 | Impact: 6.0

Affected Packages3 packages

▶CVEListV5thymeleaf/thymeleaf< 3.1.4.RELEASE

▶CVEListV5thymeleaf/org.thymeleaf_thymeleaf-spring5< 3.1.4.RELEASE

▶CVEListV5thymeleaf/org.thymeleaf_thymeleaf-spring6< 3.1.4.RELEASE

🔴Vulnerability Details

VulDB

thymeleaf/thymeleaf-spring5/thymeleaf-spring6 up to 3.1.3 expression language injection (GHSA-xjw8-8c5c-9r79)↗2026-04-18

▶

GHSA

Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf↗2026-04-15

▶