{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40478", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-13T19:50:42.113Z", "datePublished": "2026-04-17T21:57:01.560Z", "dateUpdated": "2026-04-22T03:55:42.682Z"}, "containers": {"cna": {"title": "Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf", "problemTypes": [{"descriptions": [{"cweId": "CWE-917", "lang": "en", "description": "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79"}], "affected": [{"vendor": "thymeleaf", "product": "thymeleaf", "versions": [{"version": "< 3.1.4.RELEASE", "status": "affected"}]}, {"vendor": "thymeleaf", "product": "org.thymeleaf:thymeleaf-spring5", "versions": [{"version": "< 3.1.4.RELEASE", "status": "affected"}]}, {"vendor": "thymeleaf", "product": "org.thymeleaf:thymeleaf-spring6", "versions": [{"version": "< 3.1.4.RELEASE", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T21:57:01.560Z"}, "descriptions": [{"lang": "en", "value": "Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE."}], "source": {"advisory": "GHSA-xjw8-8c5c-9r79", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-40478"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T03:55:42.682Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40478", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T16:17:04.306869Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:17:07.750Z"}}], "cna": {"title": "Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf", "source": {"advisory": "GHSA-xjw8-8c5c-9r79", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "thymeleaf", "product": "thymeleaf", "versions": [{"status": "affected", "version": "< 3.1.4.RELEASE"}]}, {"vendor": "thymeleaf", "product": "org.thymeleaf:thymeleaf-spring5", "versions": [{"status": "affected", "version": "< 3.1.4.RELEASE"}]}, {"vendor": "thymeleaf", "product": "org.thymeleaf:thymeleaf-spring6", "versions": [{"status": "affected", "version": "< 3.1.4.RELEASE"}]}], "references": [{"url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79", "name": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-917", "description": "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T21:57:01.560Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40478", "state": "PUBLISHED", "dateUpdated": "2026-04-22T03:55:42.682Z", "dateReserved": "2026-04-13T19:50:42.113Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T21:57:01.560Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thymeleaf:thymeleaf:*:*:*:*:*:*:*:*", "matchCriteriaId": "1719DA8A-E398-4802-AF24-0A2558214772", "versionEndExcluding": "3.1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE."}], "id": "CVE-2026-40478", "lastModified": "2026-04-24T16:58:33.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T22:16:33.650", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-917"}, {"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "thymeleaf: Thymeleaf: Server-Side Template Injection via expression execution bypass", "id": "2459349", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459349"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-917", "details": ["Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.", "A flaw was found in Thymeleaf, a server-side Java template engine. An unauthenticated remote attacker can exploit this vulnerability by providing unvalidated user input to the template engine. This bypasses existing security mechanisms, allowing for the execution of unauthorized expressions and leading to Server-Side Template Injection (SSTI)."], "mitigation": {"lang": "en:us", "value": "The vulnerability arises when unvalidated user input is directly passed to the Thymeleaf template engine. To mitigate this, application developers should implement robust input validation and sanitization for all user-supplied data before it is processed by the Thymeleaf template engine. This ensures that malicious expressions cannot be executed."}, "name": "CVE-2026-40478", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "camel-thymeleaf", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "thymeleaf", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "thymeleaf", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Affected", "package_name": "smallrye-mutiny-vertx-web-templ-thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Affected", "package_name": "thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Affected", "package_name": "vertx-web-templ-thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "smallrye-mutiny-vertx-web-templ-thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "vertx-web-templ-thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "smallrye-mutiny-vertx-web-templ-thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "spring-boot-starter-thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "thymeleaf-extras-java8time", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "thymeleaf-spring5", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "vertx-web-templ-thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "spring-boot-starter-thymeleaf", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "thymeleaf", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "thymeleaf-extras-java8time", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "thymeleaf-spring5", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2026-04-17T21:57:01Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40478\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40478\nhttps://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.1.4.RELEASE)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "org.thymeleaf:thymeleaf-spring5", "source": "cna", "vendor": "thymeleaf"}, "product": "org.thymeleaf:thymeleaf-spring5", "vendor": "thymeleaf"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.1.4.RELEASE)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "org.thymeleaf:thymeleaf-spring6", "source": "cna", "vendor": "thymeleaf"}, "product": "org.thymeleaf:thymeleaf-spring6", "vendor": "thymeleaf"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.1.4.RELEASE)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "thymeleaf", "source": "cna", "vendor": "thymeleaf"}, "product": "thymeleaf", "vendor": "thymeleaf"}], "analysis": {"en": {"generated_at": "2026-04-18T17:04:34.178507+00:00", "value": {"mitigation_remediation": ["Upgrade to Thymeleaf 3.1.4.RELEASE or later, which includes the required neutralization of expression syntax.", "If an upgrade is not immediately possible, avoid passing raw user input into the template engine; instead escape or validate the data before rendering.", "Configure Thymeleaf to disable expression evaluation for any user supplied content (e.g., by setting the appropriate configuration flag or using a custom template handler) to ensure that injected expressions cannot be executed."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Side Template Injection"}, "threat_synthesis": {"affected_systems": "All versions of Thymeleaf up to and including 3.1.3.RELEASE are vulnerable, including the core library and its Spring 5 and Spring 6 bindings (thymeleaf-spring5 and thymeleaf-spring6). The vulnerability was fixed in Thymeleaf 3.1.4.RELEASE; any deployment using older releases must update or apply a mitigation.", "description_and_impact": "Thymeleaf, a Java template engine, does not fully neutralize certain syntax patterns that can lead to the execution of unauthorized expressions. When an application developer passes unchecked user input directly into the template engine, an unauthenticated attacker can inject malicious expressions and obtain Server\u2011Side Template Injection (SSTI). This falls under the CWE-1336 and CWE-917 weaknesses and allows the attacker to run code with the privileges of the server process.", "risk_and_exploitability": "The CVSS score of 9.1 indicates a critical severity with network\u2011based attack and unauthenticated exploitation. No EPSS data is available, implying that the current exploitation probability is not quantified. The vulnerability is not listed in CISA\u2019s KEV catalog, but the high CVSS rating warrants immediate attention. The likely attack vector involves a malicious payload embedded in web request data that is rendered by the template engine, enabling remote code execution. Without remediation, attackers can read or modify server data and compromise the entire application."}}}}, "created": "2026-04-18T17:15:05.777087+00:00", "updated": "2026-04-20T14:59:28.107057+00:00", "vendors": ["thymeleaf", "thymeleaf$PRODUCT$org.thymeleaf:thymeleaf-spring5", "thymeleaf$PRODUCT$org.thymeleaf:thymeleaf-spring6", "thymeleaf$PRODUCT$thymeleaf"]}