Thymeleaf SSTI Bypass via Expression Execution <3.1.4
CVE-2026-40477 Published on April 17, 2026

Improper restriction of the scope of accessible objects in Thymeleaf expressions
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.

NVD

Vulnerability Analysis

CVE-2026-40477 can be exploited with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

What is an EL Injection Vulnerability?

The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

CVE-2026-40477 has been classified to as an EL Injection vulnerability or weakness.

CWE-1336

Products Associated with CVE-2026-40477

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

 
 
 
 
 
 

Affected Versions

thymeleaf: org.thymeleaf:thymeleaf-spring5: org.thymeleaf:thymeleaf-spring6: Red Hat OpenShift Dev Spaces 3.28: Red Hat Fuse 7: Red Hat Single Sign-On 7: Red Hat build of Apache Camel for Spring Boot 4: Red Hat JBoss Enterprise Application Platform 7: Red Hat JBoss Enterprise Application Platform 8: Red Hat JBoss Enterprise Application Platform Expansion Pack:

Exploit Probability

EPSS
0.65%
Percentile
46.25%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.