CVE-2026-40478

Thymeleaf · Thymeleaf

Thymeleaf versions 3.1.3.RELEASE and prior are susceptible to Server-Side Template Injection (SSTI) due to insufficient neutralization of expression syntax.

Executive summary

A critical Server-Side Template Injection vulnerability in Thymeleaf allows unauthenticated remote attackers to execute unauthorized expressions.

Vulnerability

This is an expression injection vulnerability where the engine fails to properly sanitize specific syntax patterns, allowing an unauthenticated remote attacker to bypass protections if the application passes unvalidated input to the engine.

Business impact

An SSTI vulnerability allows for remote code execution, which can lead to complete server compromise and unauthorized access to backend data. With a CVSS score of 9.0, this represents a critical risk to the confidentiality, integrity, and availability of any web application utilizing the vulnerable library.

Remediation

Immediate Action: Upgrade the Thymeleaf library to version 3.1.4.RELEASE or later to incorporate the necessary security fixes.

Proactive Monitoring: Review application logs for input strings containing suspicious template expression syntax and monitor for unexpected system process execution.

Compensating Controls: Implement strict input validation and sanitization routines at the application layer to ensure that user-supplied data cannot be interpreted as template expressions.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The severity of Server-Side Template Injection cannot be overstated. Developers must prioritize the library update to version 3.1.4.RELEASE and audit all areas of their application where user-supplied input is processed by the template engine to ensure no bypass vectors remain.