CVE-2026-40478CRITICAL 9.0EPSS p43.3%

CVE-2026-40478CVE-2026-40478

Description

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.

Scoring

CVSS 3.19.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.58% probability of exploitation · percentile 43.3% · 2026-06-19T12:03:05Z
Published2026-04-17
Last modified2026-04-24

Underlying weaknesses· 2

CWE-917CWE-1336

References

  1. https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements Used in a Template Enginecwe-13360%live
WeaknessImproper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')cwe-9170%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-40477
CVE
CVE-2026-41901
CVE
CVE-2026-41003
CVE
CVE-2026-41850
CVE
CVE-2026-33154
CVE
CVE-2025-46661
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.