PatchSiren cyber security CVE debrief
CVE-2026-40477 thymeleaf CVE debrief
CVE-2026-40477 is a critical security bypass vulnerability in Thymeleaf, a server-side Java template engine. Versions 3.1.3.RELEASE and prior are affected, with a CVSS score of 9. The vulnerability allows an unauthenticated remote attacker to bypass the library's protections to achieve Server-Side Template Injection (SSTI) if an application developer passes unvalidated user input directly to the template engine. This issue has been fixed in version 3.1.4.RELEASE. The vulnerability was published on April 17, 2026, and modified on June 30, 2026.
- Vendor
- thymeleaf
- Product
- Unknown
- CVSS
- CRITICAL 9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-17
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-17
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using Thymeleaf versions 3.1.3.RELEASE and prior should be concerned about this vulnerability. If an application passes unvalidated user input to the template engine, an unauthenticated remote attacker could exploit this vulnerability to achieve SSTI. Users of Red Hat products may also be affected, as indicated by Red Hat's errata and security advisories.
Technical summary
Thymeleaf, a server-side Java template engine, contains a security bypass vulnerability in its expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. This vulnerability, CVE-2026-40477, has a CVSS score of 9 and is classified as CRITICAL. An unauthenticated remote attacker can exploit this vulnerability to achieve Server-Side Template Injection (SSTI) if an application developer passes unvalidated user input directly to the template engine. The vulnerability is addressed in version 3.1.4.RELEASE.
Defensive priority
This vulnerability has a high defensive priority due to its critical CVSS score and potential impact. Affected users should prioritize upgrading to version 3.1.4.RELEASE or applying mitigations as soon as possible.
Recommended defensive actions
- Upgrade to Thymeleaf version 3.1.4.RELEASE or later.
- Validate and sanitize user input before passing it to the template engine.
- Implement additional security measures to detect and prevent SSTI attacks.
- Review application code to ensure secure usage of Thymeleaf.
- Monitor for and respond to potential exploitation attempts.
Evidence notes
The CVE-2026-40477 vulnerability was published on April 17, 2026, and modified on June 30, 2026. The vulnerability affects Thymeleaf versions 3.1.3.RELEASE and prior. Red Hat has provided errata and security advisories related to this vulnerability, indicating potential impact on Red Hat products. The CVSS score is 9, indicating a critical severity.
Official resources
-
CVE-2026-40477 CVE record
CVE.org
-
CVE-2026-40477 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.