CVE-2026-40478— Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40478
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf
Source: NVD (National Vulnerability Database)
Vulnerability Description
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
表达式语言语句中使用的特殊元素转义处理不恰当(表达式语言注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
thymeleaf 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
thymeleaf是Thymeleaf开源的一个Java模板引擎。 thymeleaf 3.1.3.RELEASE及之前版本存在安全漏洞,该漏洞源于表达式执行机制存在安全绕过,未能正确中和特定语法模式,可能导致服务器端模板注入攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| thymeleaf | thymeleaf | < 3.1.4.RELEASE | - | |
| thymeleaf | org.thymeleaf:thymeleaf-spring5 | < 3.1.4.RELEASE | - | |
| thymeleaf | org.thymeleaf:thymeleaf-spring6 | < 3.1.4.RELEASE | - |
II. Public POCs for CVE-2026-40478
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40478
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same weakness: CWE-917
- CVE-2026-41705
Spring AI MilvusVectorStore 注入漏洞影响 1.0.x-1.1.x - CVE-2026-41883
OmniFaces: EL injection via crafted resource name in wildcar - CVE-2026-42811
Apache Polaris: could broaden vended GCS credentials through - CVE-2026-40477
Improper restriction of the scope of accessible objects in T - CVE-2025-11175
DiscussionTools should use better regex
V. Comments for CVE-2026-40478
No comments yet