CVE-2026-40477

Thymeleaf · Java template engine

Thymeleaf versions 3.1.3.RELEASE and prior are vulnerable to Server-Side Template Injection (SSTI) due to insufficient restriction of accessible objects within the expression execution mechanism.

Executive summary

An unauthenticated remote attacker can exploit a template injection vulnerability in Thymeleaf versions 3.1.3.RELEASE and prior to execute arbitrary expressions.

Vulnerability

This vulnerability involves a flaw in expression execution mechanisms that allows an unauthenticated attacker to bypass object scope restrictions. By injecting malicious input into the template engine, an attacker can achieve Server-Side Template Injection (SSTI).

Business impact

The ability to perform SSTI poses a critical risk to business operations, potentially leading to unauthorized data access, remote code execution, and total system compromise. With a CVSS score of 9.0, this vulnerability represents a severe threat to the confidentiality, integrity, and availability of any application utilizing the affected library.

Remediation

Immediate Action: Upgrade Thymeleaf to version 3.1.4.RELEASE or later immediately to apply the necessary object scope restrictions.

Proactive Monitoring: Review web application logs for unusual expression patterns or unexpected characters within user-supplied input fields.

Compensating Controls: Implement strict input validation and sanitization for all user-provided data passed to the template engine to prevent malicious expression injection.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Given the critical nature of SSTI vulnerabilities, organizations should prioritize patching Thymeleaf to the latest version. Failure to update significantly increases the risk of remote compromise and unauthorized access to sensitive application environments.