Ddos 
Thymeleaf, a widely-used modern server-side Java template engine for both web and standalone environments, has released a critical security update. The update addresses two high-severity vulnerabilities that could allow unauthenticated remote attackers to bypass built-in security protections and achieve Server-Side Template Injection (SSTI).
Both flaws carry a CVSS score of 9.1 and affect all versions of the library up to and including 3.1.3.RELEASE.
While Thymeleaf includes mechanisms designed to prevent expression injection, the new research reveals two distinct ways these protections can be circumvented.
The first vulnerability, tracked as CVE-2026-40477, involves a breakdown in how the engine restricts access to internal objects. According to the advisory, the library “fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template”.
The second flaw, tracked as CVE-2026-40478, targets the neutralization of unauthorized expression patterns. The report states that the engine “fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions”.
In both cases, the vulnerability is triggered when application developers inadvertently create an opening for attackers. Specifically, “if an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library’s protections to achieve Server-Side Template Injection (SSTI)”.
Once an attacker achieves SSTI, they can often execute arbitrary code in the context of the application server, potentially leading to total system compromise, data theft, and lateral movement within the network.
The Thymeleaf maintainers have officially closed these loopholes with the release of 3.1.4.RELEASE.
The advisory warns that “no workaround is available beyond ensuring applications do not pass unvalidated user input directly to the template engine”. Developers should audit their code to ensure that user-controlled data is never used to dynamically construct template names or expressions.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
