CVE-2026-40477

CVSS v3.1

9.0

Critical

Vector

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Thymeleaf versions prior to 3.1.4.RELEASE

Description A security bypass exists in the expression execution mechanisms. The library fails to properly restrict the scope of accessible objects, which allows specific sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can achieve Server-Side Template Injection (SSTI), a technique where an attacker injects malicious code into a template to be executed on the server.

Recommendations Update to version 3.1.4.RELEASE. Ensure applications do not pass unvalidated user input directly to the template engine.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-917CWE-1336

Related Identifiers

CVE-2026-40477

GHSA-R4V4-5MWR-2FWR

Affected Products

Thymeleaf

CVE-2026-40477

Weakness Enumeration

Related Identifiers

Affected Products

References · 8