Description
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Published: 2026-04-17
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Template Injection
Action: Immediate Patch
AI Analysis

Impact

Thymeleaf, a Java template engine, does not fully neutralize certain syntax patterns that can lead to the execution of unauthorized expressions. When an application developer passes unchecked user input directly into the template engine, an unauthenticated attacker can inject malicious expressions and obtain Server‑Side Template Injection (SSTI). This falls under the CWE-1336 and CWE-917 weaknesses and allows the attacker to run code with the privileges of the server process.

Affected Systems

All versions of Thymeleaf up to and including 3.1.3.RELEASE are vulnerable, including the core library and its Spring 5 and Spring 6 bindings (thymeleaf-spring5 and thymeleaf-spring6). The vulnerability was fixed in Thymeleaf 3.1.4.RELEASE; any deployment using older releases must update or apply a mitigation.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical severity with network‑based attack and unauthenticated exploitation. No EPSS data is available, implying that the current exploitation probability is not quantified. The vulnerability is not listed in CISA’s KEV catalog, but the high CVSS rating warrants immediate attention. The likely attack vector involves a malicious payload embedded in web request data that is rendered by the template engine, enabling remote code execution. Without remediation, attackers can read or modify server data and compromise the entire application.

Generated by OpenCVE AI on April 18, 2026 at 17:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Thymeleaf 3.1.4.RELEASE or later, which includes the required neutralization of expression syntax.
  • If an upgrade is not immediately possible, avoid passing raw user input into the template engine; instead escape or validate the data before rendering.
  • Configure Thymeleaf to disable expression evaluation for any user supplied content (e.g., by setting the appropriate configuration flag or using a custom template handler) to ensure that injected expressions cannot be executed.

Generated by OpenCVE AI on April 18, 2026 at 17:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xjw8-8c5c-9r79 Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf
History

Fri, 24 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:thymeleaf:thymeleaf:*:*:*:*:*:*:*:*

Tue, 21 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Thymeleaf
Thymeleaf org.thymeleaf:thymeleaf-spring5
Thymeleaf org.thymeleaf:thymeleaf-spring6
Thymeleaf thymeleaf
Vendors & Products Thymeleaf
Thymeleaf org.thymeleaf:thymeleaf-spring5
Thymeleaf org.thymeleaf:thymeleaf-spring6
Thymeleaf thymeleaf

Fri, 17 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Title Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf
Weaknesses CWE-1336
CWE-917
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Thymeleaf Org.thymeleaf:thymeleaf-spring5 Org.thymeleaf:thymeleaf-spring6 Thymeleaf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T03:55:42.682Z

Reserved: 2026-04-13T19:50:42.113Z

Link: CVE-2026-40478

cve-icon Vulnrichment

Updated: 2026-04-20T16:17:07.750Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-17T22:16:33.650

Modified: 2026-04-24T16:58:33.957

Link: CVE-2026-40478

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-17T21:57:01Z

Links: CVE-2026-40478 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:59:28Z

Weaknesses