CVE-2026-40478
Thymeleaf · Thymeleaf
Thymeleaf versions 3.1.3.RELEASE and prior are susceptible to Server-Side Template Injection (SSTI) due to insufficient neutralization of expression syntax.
Executive summary
A critical Server-Side Template Injection vulnerability in Thymeleaf allows unauthenticated remote attackers to execute unauthorized expressions.
Vulnerability
This is an expression injection vulnerability where the engine fails to properly sanitize specific syntax patterns, allowing an unauthenticated remote attacker to bypass protections if the application passes unvalidated input to the engine.
Business impact
An SSTI vulnerability allows for remote code execution, which can lead to complete server compromise and unauthorized access to backend data. With a CVSS score of 9.0, this represents a critical risk to the confidentiality, integrity, and availability of any web application utilizing the vulnerable library.
Remediation
Immediate Action: Upgrade the Thymeleaf library to version 3.1.4.RELEASE or later to incorporate the necessary security fixes.
Proactive Monitoring: Review application logs for input strings containing suspicious template expression syntax and monitor for unexpected system process execution.
Compensating Controls: Implement strict input validation and sanitization routines at the application layer to ensure that user-supplied data cannot be interpreted as template expressions.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The severity of Server-Side Template Injection cannot be overstated. Developers must prioritize the library update to version 3.1.4.RELEASE and audit all areas of their application where user-supplied input is processed by the template engine to ensure no bypass vectors remain.