EXECUTIVE SUMMARY:
CVE-2026-40477 with a CVSS score of 9.1 is a critical vulnerability in the expression execution mechanisms of Thymeleaf, specifically in versions <= 3.1.3.RELEASE of the maven/org.thymeleaf:thymeleaf, maven/org.thymeleaf:thymeleaf-spring5, and maven/org.thymeleaf:thymeleaf-spring6 packages. The vulnerability arises from Thymeleaf's failure to properly restrict the scope of accessible objects, allowing an attacker to bypass the library's protections and achieve Server-Side Template Injection (SSTI). An unauthenticated remote attacker can exploit this vulnerability by passing unvalidated user input directly to the template engine, thereby gaining the capability to execute arbitrary code on the server. This vulnerability has significant business impact and consequences, as an attacker can utilize SSTI to potentially steal sensitive data, disrupt operations, or gain unauthorized access to the system. To exploit this vulnerability, an attacker requires access to an application that uses Thymeleaf's template engine, with no prerequisites or conditions required beyond the ability to inject malicious input into the system.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-40477 with a CVSS score of 9.1 is a critical vulnerability in the expression execution mechanisms of Thymeleaf, specifically in versions <= 3.1.3.RELEASE of the maven/org.thymeleaf:thymeleaf, maven/org.thymeleaf:thymeleaf-spring5, and maven/org.thymeleaf:thymeleaf-spring6 packages. The vulnerability arises from Thymeleaf's failure to properly restrict the scope of accessible objects, allowing an attacker to bypass the library's protections and achieve Server-Side Template Injection (SSTI). An unauthenticated remote attacker can exploit this vulnerability by passing unvalidated user input directly to the template engine, thereby gaining the capability to execute arbitrary code on the server. This vulnerability has significant business impact and consequences, as an attacker can utilize SSTI to potentially steal sensitive data, disrupt operations, or gain unauthorized access to the system. To exploit this vulnerability, an attacker requires access to an application that uses Thymeleaf's template engine, with no prerequisites or conditions required beyond the ability to inject malicious input into the system.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update thymeleaf to version 3.1.4.RELEASE, thymeleaf-spring5 to version 3.1.4.RELEASE, and thymeleaf-spring6 to version 3.1.4.RELEASE.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-r4v4-5mwr-2fwr