CVE-2026-40477
Server-Side Template Injection in Thymeleaf
Publication date: 2026-04-17
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thymeleaf | thymeleaf | to 3.1.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
| CWE-917 | The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Thymeleaf versions 3.1.3.RELEASE and prior allows unauthenticated remote attackers to perform Server-Side Template Injection (SSTI), potentially accessing sensitive objects within templates. This could lead to unauthorized access or exposure of sensitive data.
Such unauthorized access or data exposure may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls to protect sensitive personal and health information.
However, the provided information does not explicitly detail the compliance implications or how organizations should address them in relation to this vulnerability.
Can you explain this vulnerability to me?
This vulnerability exists in Thymeleaf, a server-side Java template engine, in versions 3.1.3.RELEASE and earlier. It is a security bypass issue in the expression execution mechanisms. Although Thymeleaf has protections to prevent expression injection, it does not properly restrict the scope of accessible objects within templates. This flaw allows an unauthenticated remote attacker to bypass these protections and perform Server-Side Template Injection (SSTI) if unvalidated user input is passed directly to the template engine.
How can this vulnerability impact me? :
The vulnerability can have severe impacts including unauthorized access to sensitive objects within the application. An attacker exploiting this issue can execute arbitrary code on the server, leading to full compromise of confidentiality, integrity, and availability of the affected system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Thymeleaf to version 3.1.4.RELEASE or later, as this version contains the fix for the security bypass issue.
Additionally, avoid passing unvalidated user input directly to the template engine to prevent Server-Side Template Injection (SSTI).