PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40477 thymeleaf CVE debrief

CVE-2026-40477 is a critical security bypass vulnerability in Thymeleaf, a server-side Java template engine. Versions 3.1.3.RELEASE and prior are affected, with a CVSS score of 9. The vulnerability allows an unauthenticated remote attacker to bypass the library's protections to achieve Server-Side Template Injection (SSTI) if an application developer passes unvalidated user input directly to the template engine. This issue has been fixed in version 3.1.4.RELEASE. The vulnerability was published on April 17, 2026, and modified on June 30, 2026.

Vendor
thymeleaf
Product
Unknown
CVSS
CRITICAL 9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-17
Original CVE updated
2026-06-30
Advisory published
2026-04-17
Advisory updated
2026-06-30

Who should care

Developers and administrators using Thymeleaf versions 3.1.3.RELEASE and prior should be concerned about this vulnerability. If an application passes unvalidated user input to the template engine, an unauthenticated remote attacker could exploit this vulnerability to achieve SSTI. Users of Red Hat products may also be affected, as indicated by Red Hat's errata and security advisories.

Technical summary

Thymeleaf, a server-side Java template engine, contains a security bypass vulnerability in its expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. This vulnerability, CVE-2026-40477, has a CVSS score of 9 and is classified as CRITICAL. An unauthenticated remote attacker can exploit this vulnerability to achieve Server-Side Template Injection (SSTI) if an application developer passes unvalidated user input directly to the template engine. The vulnerability is addressed in version 3.1.4.RELEASE.

Defensive priority

This vulnerability has a high defensive priority due to its critical CVSS score and potential impact. Affected users should prioritize upgrading to version 3.1.4.RELEASE or applying mitigations as soon as possible.

Recommended defensive actions

  • Upgrade to Thymeleaf version 3.1.4.RELEASE or later.
  • Validate and sanitize user input before passing it to the template engine.
  • Implement additional security measures to detect and prevent SSTI attacks.
  • Review application code to ensure secure usage of Thymeleaf.
  • Monitor for and respond to potential exploitation attempts.

Evidence notes

The CVE-2026-40477 vulnerability was published on April 17, 2026, and modified on June 30, 2026. The vulnerability affects Thymeleaf versions 3.1.3.RELEASE and prior. Red Hat has provided errata and security advisories related to this vulnerability, indicating potential impact on Red Hat products. The CVSS score is 9, indicating a critical severity.

Official resources

This article is AI-assisted and based on the supplied source corpus.