Critical Thymeleaf Vulnerability Bypasses Injection Protections
The National Vulnerability Database has disclosed CVE-2026-40478, a critical security bypass in Thymeleaf versions 3.1.3.RELEASE and prior. Thymeleaf, a widely used server-side Java template engine, contains flaws in its expression execution mechanisms. Despite built-in safeguards against expression injection, the library fails to properly neutralize specific syntax patterns, enabling the execution of unauthorized expressions.
This vulnerability allows an unauthenticated remote attacker to achieve Server-Side Template Injection (SSTI) if an application developer passes unvalidated user input directly to the template engine. The implications are severe: an attacker could manipulate templates to execute arbitrary code or access sensitive data, effectively taking control of the application. This is a classic injection scenario, but the bypass of existing protections makes it particularly concerning.
Defenders must prioritize patching. The National Vulnerability Database confirms this issue is fixed in Thymeleaf version 3.1.4.RELEASE. Any application relying on older versions is exposed. This isn’t just about data theft; SSTI can lead to full system compromise, making it a prime target for initial access by threat actors.
What This Means For You
- If your organization uses Thymeleaf, immediately identify all instances running versions 3.1.3.RELEASE or prior. Prioritize upgrading to 3.1.4.RELEASE without delay. Audit your applications for any direct passing of unvalidated user input to the Thymeleaf template engine – this configuration is the attack vector. Patching is non-negotiable here; this is a critical remote execution path.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-40478 - Thymeleaf SSTI Attempt via Expression Bypass
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40478 | Server-Side Template Injection | Thymeleaf versions 3.1.3.RELEASE and prior |
| CVE-2026-40478 | Security Bypass | Thymeleaf expression execution mechanisms |
| CVE-2026-40478 | Code Injection | Unvalidated user input passed directly to Thymeleaf template engine |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 18, 2026 at 01:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-40486 — Kimai is an open-source time tracking application. In
CVE-2026-40486 — Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values...
CVE-2026-40479 — Cross-Site Scripting (XSS)
CVE-2026-40479 — Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or...
CVE-2026-2434 — Cross-Site Scripting (XSS)
CVE-2026-2434 — The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attributes in all versions up to, and including,...