External risk intelligence

Attacker can take control of web servers using Thymeleaf by sending specially crafted input.

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-40478

A critical flaw in the Thymeleaf Java template engine allows attackers to run unauthorized code on web servers. This means internet-facing applications could be fully compromised if they use unpatched versions and don't properly validate user input.

4Halo Surface Signal

Thymeleaf

before 3.1.4

External exposure likelihood

Halo Surface Signal score for CVE-2026-40478

Thymeleaf is a standard server-side template engine for web applications. These applications are frequently deployed as internet-facing services. The vulnerability is exploitable via standard HTTP requests to these web applications, making the attack surface accessible to external, unauthenticated users.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in the Thymeleaf template engine allows remote attackers to bypass security checks and execute unauthorized code on the server. This is a critical issue because it can lead to complete compromise of affected web applications if they pass unvalidated user input directly to the engine.

  • Affects web applications using Thymeleaf.
  • Can lead to server-side code execution.
  • Reachable from the internet.

Attack Path

How an attacker could exploit the issue

An unauthenticated remote attacker can exploit this vulnerability by sending crafted input to a web application that uses a vulnerable version of Thymeleaf. If the application developer passes this user input directly into a template without proper sanitization, the attacker can trick the template engine into executing arbitrary expressions, leading to server-side code execution.

  • Targets unvalidated user input.
  • Requires developer to pass input directly.
  • Exploits expression execution flaws.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Thymeleaf's expression processing allows remote attackers to execute unauthorized code if developers pass unvalidated input to the template engine. While the library has protections, they can be bypassed with specific syntax. This means internet-facing web applications using vulnerable versions could be targeted, though exploitation requires specific developer practices and an attacker knowing the bypass.

  • Public exploits are not yet observed.
  • KEV listing has not occurred.
  • The fix is recent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Thymeleaf to version 3.1.4.RELEASE to address the Server-Side Template Injection vulnerability. If patching is delayed, implement strict input validation and consider temporarily disabling user-provided content that is rendered by templates to mitigate the risk of exploitation.

  • Apply Thymeleaf 3.1.4.RELEASE patch.
  • Validate all user input before rendering.
  • Monitor for suspicious template execution patterns.

Frequently asked questions

What is Thymeleaf and what is its primary function in web development?

Thymeleaf is a server-side Java template engine used by web applications and standalone programs. It processes templates to generate dynamic content, enabling developers to create web pages and other text-based outputs that adapt based on user input or data.

What security weakness does CVE-2026-40478 represent and what is its classification?

CVE-2026-40478 is a Server-Side Template Injection (SSTI) vulnerability, classified as CWE-917. This weakness allows attackers to bypass security mechanisms and execute unintended code on the server.

How can an attacker exploit CVE-2026-40478, and what conditions are necessary?

An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted input to a web application that uses a vulnerable Thymeleaf version. Exploitation occurs if application developers pass unvalidated user input directly into the template engine, bypassing its built-in protections.

What is the significance of CVE-2026-40478 for internet-facing applications?

This vulnerability is significant for internet-facing applications because it is exploitable via standard HTTP requests, making the attack surface accessible to external, unauthenticated users. This could lead to a complete compromise of affected web applications.

What is the recommended remediation for CVE-2026-40478 and what are interim mitigation strategies?

The primary fix is to update Thymeleaf to version 3.1.4.RELEASE. If immediate patching is not possible, applications should implement strict input validation for all user-provided content before it is rendered by templates. Monitoring for suspicious template execution is also advised.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified