PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40478 thymeleaf CVE debrief

CVE-2026-40478 is a critical security bypass vulnerability in Thymeleaf, a server-side Java template engine. The vulnerability exists in versions 3.1.3.RELEASE and prior. An unauthenticated remote attacker can exploit this vulnerability to achieve Server-Side Template Injection (SSTI) if an application developer passes unvalidated user input directly to the template engine. The issue has been fixed in version 3.1.4.RELEASE. This vulnerability has a CVSS score of 9 and a severity of CRITICAL.

Vendor
thymeleaf
Product
Unknown
CVSS
CRITICAL 9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-17
Original CVE updated
2026-06-30
Advisory published
2026-04-17
Advisory updated
2026-06-30

Who should care

Developers and administrators using Thymeleaf versions 3.1.3.RELEASE and prior should be concerned about this vulnerability. If an application uses Thymeleaf and passes unvalidated user input to the template engine, it may be vulnerable to Server-Side Template Injection (SSTI) attacks. Affected users should update to version 3.1.4.RELEASE or apply mitigations as soon as possible.

Technical summary

Thymeleaf, a server-side Java template engine, contains a security bypass vulnerability in versions 3.1.3.RELEASE and prior. The vulnerability is caused by the library's failure to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. This can lead to Server-Side Template Injection (SSTI) attacks if an application developer passes unvalidated user input directly to the template engine. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. CWE-917 and CWE-1336 are associated with this vulnerability.

Defensive priority

This vulnerability has a high defensive priority due to its critical severity and potential for remote exploitation. Affected users should prioritize updating to version 3.1.4.RELEASE or applying mitigations.

Recommended defensive actions

  • Update Thymeleaf to version 3.1.4.RELEASE or later.
  • Validate and sanitize user input before passing it to the Thymeleaf template engine.
  • Implement additional security measures, such as using a web application firewall (WAF) to detect and prevent SSTI attacks.
  • Monitor and audit application logs for suspicious activity.
  • Consider using a template engine with built-in security features to prevent SSTI attacks.

Evidence notes

The CVE-2026-40478 vulnerability was published on April 17, 2026, and modified on June 30, 2026. The vulnerability affects Thymeleaf versions 3.1.3.RELEASE and prior. The CVSS score is 9, and the severity is CRITICAL. The CWE associated with this vulnerability is CWE-917 and CWE-1336.

Official resources

This article is AI-assisted and based on the supplied source corpus.