CVE-2026-40478
Server-Side Template Injection in Thymeleaf β€ 3.1.3 Allows Bypass
Publication date: 2026-04-17
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thymeleaf | thymeleaf | to 3.1.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
| CWE-917 | The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Thymeleaf, a server-side Java template engine. Versions 3.1.3.RELEASE and earlier have a security bypass issue in their expression execution mechanisms. Although Thymeleaf tries to prevent expression injection, it does not properly neutralize certain syntax patterns. This flaw allows an unauthenticated remote attacker to bypass protections and execute unauthorized expressions if unvalidated user input is passed directly to the template engine.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to Server-Side Template Injection (SSTI), allowing an attacker to execute arbitrary code on the server. This can result in full compromise of confidentiality, integrity, and availability of the affected system, as indicated by the high CVSS score (9.0) with impacts on confidentiality, integrity, and availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Thymeleaf to version 3.1.4.RELEASE or later, where the security bypass issue has been fixed.
Additionally, avoid passing unvalidated user input directly to the template engine to prevent unauthorized expression execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Thymeleaf versions 3.1.3.RELEASE and prior allows unauthenticated remote attackers to perform Server-Side Template Injection (SSTI) by bypassing expression execution protections. This can lead to unauthorized code execution, potentially compromising confidentiality, integrity, and availability of data processed by affected applications.
Such a compromise can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure processing environments. If personal or protected health information is exposed or altered due to exploitation of this vulnerability, organizations may fail to meet their regulatory obligations.