PatchSiren cyber security CVE debrief
CVE-2026-40478 thymeleaf CVE debrief
CVE-2026-40478 is a critical security bypass vulnerability in Thymeleaf, a server-side Java template engine. The vulnerability exists in versions 3.1.3.RELEASE and prior. An unauthenticated remote attacker can exploit this vulnerability to achieve Server-Side Template Injection (SSTI) if an application developer passes unvalidated user input directly to the template engine. The issue has been fixed in version 3.1.4.RELEASE. This vulnerability has a CVSS score of 9 and a severity of CRITICAL.
- Vendor
- thymeleaf
- Product
- Unknown
- CVSS
- CRITICAL 9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-17
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-17
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using Thymeleaf versions 3.1.3.RELEASE and prior should be concerned about this vulnerability. If an application uses Thymeleaf and passes unvalidated user input to the template engine, it may be vulnerable to Server-Side Template Injection (SSTI) attacks. Affected users should update to version 3.1.4.RELEASE or apply mitigations as soon as possible.
Technical summary
Thymeleaf, a server-side Java template engine, contains a security bypass vulnerability in versions 3.1.3.RELEASE and prior. The vulnerability is caused by the library's failure to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. This can lead to Server-Side Template Injection (SSTI) attacks if an application developer passes unvalidated user input directly to the template engine. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. CWE-917 and CWE-1336 are associated with this vulnerability.
Defensive priority
This vulnerability has a high defensive priority due to its critical severity and potential for remote exploitation. Affected users should prioritize updating to version 3.1.4.RELEASE or applying mitigations.
Recommended defensive actions
- Update Thymeleaf to version 3.1.4.RELEASE or later.
- Validate and sanitize user input before passing it to the Thymeleaf template engine.
- Implement additional security measures, such as using a web application firewall (WAF) to detect and prevent SSTI attacks.
- Monitor and audit application logs for suspicious activity.
- Consider using a template engine with built-in security features to prevent SSTI attacks.
Evidence notes
The CVE-2026-40478 vulnerability was published on April 17, 2026, and modified on June 30, 2026. The vulnerability affects Thymeleaf versions 3.1.3.RELEASE and prior. The CVSS score is 9, and the severity is CRITICAL. The CWE associated with this vulnerability is CWE-917 and CWE-1336.
Official resources
-
CVE-2026-40478 CVE record
CVE.org
-
CVE-2026-40478 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.