CVE-2026-40478
Published: 17 April 2026
Summary
CVE-2026-40478 is a critical-severity Expression Language Injection (CWE-917) vulnerability in Thymeleaf Thymeleaf. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
Thymeleaf, a server-side Java template engine for web and standalone environments, is affected by CVE-2026-40478 in versions 3.1.3.RELEASE and prior. The vulnerability is a security bypass in the expression execution mechanisms, where the library fails to properly neutralize specific syntax patterns despite providing protections against expression injection. This allows unauthorized expressions to execute, enabling Server-Side Template Injection (SSTI) when applications pass unvalidated user input directly to the template engine. The issue is rated at CVSS 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-917 and CWE-1336.
An unauthenticated remote attacker can exploit this vulnerability over the network with high attack complexity and no privileges or user interaction required. Exploitation requires an application developer to pass unvalidated user input to the Thymeleaf template engine, at which point the attacker can bypass the library's protections to achieve SSTI. Successful exploitation grants high confidentiality, integrity, and availability impacts with a changed scope, potentially leading to full server compromise.
The Thymeleaf security advisory at https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79 details the fix in version 3.1.4.RELEASE, recommending that users upgrade to this or later versions to mitigate the vulnerability. Practitioners should review applications using Thymeleaf for direct user input handling in templates and validate inputs rigorously as an interim measure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23573
Vulnerability details
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly…
more
neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables Server-Side Template Injection (SSTI) in a public-facing web application using Thymeleaf, allowing unauthenticated remote exploitation for RCE, directly mapping to Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely patching of the Thymeleaf library from vulnerable versions 3.1.3.RELEASE and prior to the fixed 3.1.4.RELEASE.
Prevents SSTI exploitation by enforcing validation and sanitization of user input before it is passed directly to the Thymeleaf template engine.
Identifies the presence of vulnerable Thymeleaf versions through vulnerability scanning, enabling proactive detection and remediation of this specific flaw.