External risk intelligence

Thymeleaf allows attackers to take control of services by embedding malicious code in web pages.

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-40477

A critical flaw in Thymeleaf, a Java web component, could let attackers run their own code on your servers by embedding malicious content in web pages, especially when handling user input.

4Halo Surface Signal

Thymeleaf

before 3.1.4

External exposure likelihood

Halo Surface Signal score for CVE-2026-40477

Thymeleaf is a standard server-side template engine for Java web applications. These applications are frequently deployed as public-facing services. While the vulnerability depends on specific implementation patterns regarding user input, the library is a core component of web interfaces, making its exposure in internet-facing deployments common.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A security bypass vulnerability exists in the Thymeleaf template engine, allowing sensitive objects to be accessed within templates. This means if unvalidated user input is passed to the engine, remote attackers could potentially execute code on the server.

  • Server-side template injection is possible.
  • Affects internet-facing web applications.
  • Exploitable without authentication.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted input to a web application that uses a vulnerable version of Thymeleaf. If the application improperly handles user input within its templates, the attacker can inject malicious expressions, leading to server-side code execution. This allows them to potentially take control of the affected server.

  • Unauthenticated remote attacker
  • Server-side template injection
  • User input in templates

Live Threat

Current exploitation, exposure, and threat context

This Server-Side Template Injection vulnerability in Thymeleaf could be readily weaponized. Attackers favor SSTI flaws because they often allow arbitrary code execution or access to sensitive application data. This particular vulnerability is concerning because it bypasses existing protections and affects a widely used Java template engine, increasing the likelihood of exploitation in internet-facing applications.

  • Server-side template injection is a popular attack.
  • Exploitation requires specific application patterns.
  • Vulnerability patched recently.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Thymeleaf versions 3.1.3.RELEASE and prior to 3.1.4.RELEASE to mitigate Server-Side Template Injection risks if applications pass unvalidated user input to templates. For critical or actively exploited environments, consider isolating affected services until patches can be applied.

  • Update Thymeleaf to 3.1.4.RELEASE.
  • Isolate vulnerable services if patching is delayed.
  • Monitor for SSTI exploitation attempts.

Frequently asked questions

What is Thymeleaf and what is its role in web development?

Thymeleaf is a Java-based, server-side template engine designed for web and standalone applications. It assists developers in generating dynamic web content by processing template files and integrating them with application data.

What type of vulnerability does CVE-2026-40477 represent and what is the weakness class?

CVE-2026-40477 describes a security bypass vulnerability, specifically a Server-Side Template Injection (SSTI). The associated weakness classes are CWE-917 (Improper Neutralization of Input During Query Construction ('SQL Injection')) and CWE-1336 (Improper Neutralization of Special Elements Used in Template Engine).

How can an unauthenticated remote attacker exploit this Thymeleaf vulnerability to achieve SSTI?

An attacker can exploit this vulnerability by sending specially crafted input to a web application that uses a vulnerable version of Thymeleaf. If the application passes unvalidated user input directly to the template engine, the attacker can inject malicious expressions that bypass security protections, leading to Server-Side Template Injection.

What is the relevance of CVE-2026-40477, and why is it considered likely to be exploited?

Thymeleaf is a common server-side template engine for Java web applications, which are often deployed as public-facing services. Although exploitation requires specific implementation patterns, the vulnerability's ability to bypass protections in a widely used component increases the likelihood of its exploitation in internet-facing applications.

What is the recommended action to mitigate the risks associated with this Thymeleaf vulnerability?

The recommended action is to update Thymeleaf to version 3.1.4.RELEASE, as versions 3.1.3.RELEASE and prior are affected. If immediate patching is not feasible, consider isolating affected services until the update can be applied and monitor for Server-Side Template Injection attempts.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified