CVE-2026-40477CRITICAL 9.0EPSS p46.2%

CVE-2026-40477CVE-2026-40477

Description

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.

Scoring

CVSS 3.19.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.65% probability of exploitation · percentile 46.2% · 2026-06-19T12:03:05Z
Published2026-04-17
Last modified2026-04-24

Underlying weaknesses· 2

CWE-917CWE-1336

References

  1. https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements Used in a Template Enginecwe-13360%live
WeaknessImproper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')cwe-9170%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-40478
CVE
CVE-2026-41901
CVE
CVE-2026-41003
CVE
CVE-2025-64087
CVE
CVE-2026-41850
CVE
CVE-2026-25526
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.