CVE-2026-40478

Thymeleaf, a server-side Java template engine for web and standalone environments, is affected by CVE-2026-40478 in versions 3.1.3.RELEASE and prior. The vulnerability is a security bypass in the expression execution mechanisms, where the library fails to properly neutralize specific syntax patterns despite providing protections against expression injection. This allows unauthorized expressions to execute, enabling Server-Side Template Injection (SSTI) when applications pass unvalidated user input directly to the template engine. The issue is rated at CVSS 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-917 and CWE-1336.

An unauthenticated remote attacker can exploit this vulnerability over the network with high attack complexity and no privileges or user interaction required. Exploitation requires an application developer to pass unvalidated user input to the Thymeleaf template engine, at which point the attacker can bypass the library's protections to achieve SSTI. Successful exploitation grants high confidentiality, integrity, and availability impacts with a changed scope, potentially leading to full server compromise.

The Thymeleaf security advisory at https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79 details the fix in version 3.1.4.RELEASE, recommending that users upgrade to this or later versions to mitigate the vulnerability. Practitioners should review applications using Thymeleaf for direct user input handling in templates and validate inputs rigorously as an interim measure.