CVE-2026-40478 is a critical security bypass vulnerability in Thymeleaf, a server-side Java template engine. The vulnerability exists in versions 3.1.3.RELEASE and prior. An unauthenticated remote attacker can exploit this vulnerability to achieve Server-Side Template Injection (SSTI) if an application developer passes unvalidated user input directly to the template engine. The issue has been fixed in ver [truncated]
CVE-2026-40477 is a critical security bypass vulnerability in Thymeleaf, a server-side Java template engine. Versions 3.1.3.RELEASE and prior are affected, with a CVSS score of 9. The vulnerability allows an unauthenticated remote attacker to bypass the library's protections to achieve Server-Side Template Injection (SSTI) if an application developer passes unvalidated user input directly to the template [truncated]