Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf

GHSA-xjw8-8c5c-9r79 · CVE-2026-40478

Published Apr 15, 2026 · Modified May 5, 2026

Description

Impact

A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI).

Patches

This has been fixed in Thymeleaf 3.1.4.RELEASE.

Workarounds

No workaround is available beyond ensuring applications do not pass unvalidated user input directly to the template engine. Upgrading to 3.1.4.RELEASE is strongly recommended in any case.

Credits

Thanks to Dawid Bakaj (VIPentest.com) for responsible disclosure.

References

9.0 / 10

CRITICAL CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected Packages

Maven/org.thymeleaf:thymeleaf

Fix 3.1.4.RELEASE

Introduced 0

81 affected versions

1.0.01.0.0-beta11.0.0-beta21.0.0-beta31.0.0-beta41.0.0-beta51.0.11.1.01.1.11.1.21.1.31.1.41.1.52.0.02.0.0-beta12.0.0-beta22.0.12.0.102.0.112.0.12 +61 more

Maven/org.thymeleaf:thymeleaf-spring5

Fix 3.1.4.RELEASE

Introduced 0

22 affected versions

3.0.10.RELEASE3.0.11.RELEASE3.0.12.RELEASE3.0.13.RELEASE3.0.14.RELEASE3.0.15.RELEASE3.0.3.M13.0.4.M23.0.5.M33.0.6.M43.0.7.RC13.0.8.RELEASE3.0.9.RELEASE3.1.0.M13.1.0.M23.1.0.M33.1.0.RC13.1.0.RC23.1.0.RELEASE3.1.1.RELEASE +2 more

Maven/org.thymeleaf:thymeleaf-spring6

Fix 3.1.4.RELEASE

Introduced 0

9 affected versions

3.1.0.M13.1.0.M23.1.0.M33.1.0.RC13.1.0.RC23.1.0.RELEASE3.1.1.RELEASE3.1.2.RELEASE3.1.3.RELEASE

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes