EXECUTIVE SUMMARY:
CVE-2026-40478 with a CVSS score of 9.1 is a Server-Side Template Injection (SSTI) issue in the Thymeleaf Java template engine, a widely used template engine for Java web applications. The vulnerability affects all Thymeleaf versions before 3.1.4.RELEASE, which is the de facto template engine in the Java Spring ecosystem. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. An unauthenticated remote attacker can bypass the library's protections by passing unvalidated user input directly to the template engine, allowing them to achieve SSTI. This enables the attacker to create arbitrary files on disk, escalate to full remote code execution, and register and invoke arbitrary beans. The business impact and consequences of exploiting this vulnerability are significant, as it can lead to the compromise of web servers and potentially impact numerous business applications. No special privileges or conditions are required for exploitation, and attackers only need to control input that reaches Thymeleaf's expression engine, a common pattern in web applications.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-40478 with a CVSS score of 9.1 is a Server-Side Template Injection (SSTI) issue in the Thymeleaf Java template engine, a widely used template engine for Java web applications. The vulnerability affects all Thymeleaf versions before 3.1.4.RELEASE, which is the de facto template engine in the Java Spring ecosystem. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. An unauthenticated remote attacker can bypass the library's protections by passing unvalidated user input directly to the template engine, allowing them to achieve SSTI. This enables the attacker to create arbitrary files on disk, escalate to full remote code execution, and register and invoke arbitrary beans. The business impact and consequences of exploiting this vulnerability are significant, as it can lead to the compromise of web servers and potentially impact numerous business applications. No special privileges or conditions are required for exploitation, and attackers only need to control input that reaches Thymeleaf's expression engine, a common pattern in web applications.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update Thymeleaf to version 3.1.4.RELEASE.
REFERENCES:
The following reports contain further technical details:
https://www.csoonline.com/article/4160520/critical-sandbox-bypass-fixed-in-popular-thymeleaf-java-template-engine.html