Critical Thymeleaf Vulnerability Bypasses Injection Protections
The National Vulnerability Database has disclosed CVE-2026-40477, a critical security bypass vulnerability in Thymeleaf, a popular server-side Java template engine. This flaw, present in versions 3.1.3.RELEASE and earlier, undermines the library’s built-in defenses against expression injection.
Despite mechanisms designed to prevent such attacks, the vulnerability allows unauthenticated remote attackers to reach sensitive objects from within a template. This is particularly dangerous if developers pass unvalidated user input directly to the template engine, enabling Server-Side Template Injection (SSTI) and potentially full system compromise. The National Vulnerability Database assigns this a CVSS score of 9 (CRITICAL), highlighting the severe impact.
This isn’t just a theoretical bypass; it’s a direct route to RCE if exploited in the wild. Attackers are constantly looking for ways to subvert application logic, and a critical SSTI in a widely used templating engine provides a high-value target. The fix is available in Thymeleaf version 3.1.4.RELEASE.
What This Means For You
- If your organization utilizes Thymeleaf, immediately identify all instances running versions 3.1.3.RELEASE or prior. Prioritize upgrading to version 3.1.4.RELEASE to mitigate CVE-2026-40477. Review your application code for any instances where unvalidated user input is directly passed to the Thymeleaf template engine; this is a critical code smell that must be addressed, even with the patch.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-40477 - Thymeleaf SSTI Attempt via Expression Injection
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40477 | Server-Side Template Injection | Thymeleaf versions 3.1.3.RELEASE and prior |
| CVE-2026-40477 | Security Bypass | Thymeleaf expression execution mechanisms |
| CVE-2026-40477 | Server-Side Template Injection | Unvalidated user input passed directly to Thymeleaf template engine |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 18, 2026 at 01:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-40486 — Kimai is an open-source time tracking application. In
CVE-2026-40486 — Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values...
CVE-2026-40479 — Cross-Site Scripting (XSS)
CVE-2026-40479 — Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or...
CVE-2026-2434 — Cross-Site Scripting (XSS)
CVE-2026-2434 — The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attributes in all versions up to, and including,...