PatchSiren

thymeleaf CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL thymeleaf CVE published 2026-04-17

CVE-2026-40478

CVE-2026-40478 is a critical security bypass vulnerability in Thymeleaf, a server-side Java template engine. The vulnerability exists in versions 3.1.3.RELEASE and prior. An unauthenticated remote attacker can exploit this vulnerability to achieve Server-Side Template Injection (SSTI) if an application developer passes unvalidated user input directly to the template engine. The issue has been fixed in ver [truncated]

CRITICAL thymeleaf CVE published 2026-04-17

CVE-2026-40477

CVE-2026-40477 is a critical security bypass vulnerability in Thymeleaf, a server-side Java template engine. Versions 3.1.3.RELEASE and prior are affected, with a CVSS score of 9. The vulnerability allows an unauthenticated remote attacker to bypass the library's protections to achieve Server-Side Template Injection (SSTI) if an application developer passes unvalidated user input directly to the template [truncated]