Description
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Published: 2026-04-17
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Template Injection
Action: Immediate Patch
AI Analysis

Impact

Thymeleaf’s expression execution mechanism fails to properly restrict the scope of accessible objects, allowing an attacker to reach sensitive objects from within a template. When an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library’s protections and achieve Server‑Side Template Injection, potentially exposing confidential data or executing arbitrary code. The weakness corresponds to CWE‑1336 and CWE‑917.

Affected Systems

Versions 3.1.3.RELEASE and earlier of Thymeleaf, including the thymeleaf‑spring5, thymeleaf‑spring6, and core thymeleaf components, are affected. The fix began in 3.1.4.RELEASE.

Risk and Exploitability

The CVSS score of 9.1 indicates high severity, and the vulnerability is not listed in CISA KEV. Although no EPSS score is available, the description shows that the flaw can be exploited by any unauthenticated user who can inject input into a template. The likely attack vector involves inserting a malicious expression into user‑controlled data that is then rendered by the template engine.

Generated by OpenCVE AI on April 18, 2026 at 08:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Thymeleaf to 3.1.4.RELEASE or later
  • Validate and sanitize all data before passing it to the template engine to ensure no user input reaches the expression evaluator
  • Configure the Thymeleaf context to expose only the objects required by the application, reducing the potential attack surface

Generated by OpenCVE AI on April 18, 2026 at 08:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r4v4-5mwr-2fwr Improper restriction of the scope of accessible objects in Thymeleaf expressions
History

Fri, 24 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:thymeleaf:thymeleaf:*:*:*:*:*:*:*:*

Tue, 21 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Thymeleaf
Thymeleaf org.thymeleaf:thymeleaf-spring5
Thymeleaf org.thymeleaf:thymeleaf-spring6
Thymeleaf thymeleaf
Vendors & Products Thymeleaf
Thymeleaf org.thymeleaf:thymeleaf-spring5
Thymeleaf org.thymeleaf:thymeleaf-spring6
Thymeleaf thymeleaf

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Title Improper restriction of the scope of accessible objects in Thymeleaf expressions
Weaknesses CWE-1336
CWE-917
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Thymeleaf Org.thymeleaf:thymeleaf-spring5 Org.thymeleaf:thymeleaf-spring6 Thymeleaf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T03:55:41.093Z

Reserved: 2026-04-13T19:50:42.113Z

Link: CVE-2026-40477

cve-icon Vulnrichment

Updated: 2026-04-20T13:32:39.391Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-17T22:16:33.500

Modified: 2026-04-24T16:58:57.837

Link: CVE-2026-40477

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-17T21:53:47Z

Links: CVE-2026-40477 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:59:29Z

Weaknesses