CVE-2026-40478 - Vulnerability Analysis
CriticalCVSS: 9.0Last Updated: April 17, 2026
Thymeleaf - Server-Side Template Injection
Published: April 17, 2026Updated: April 17, 2026Remote Exploitable
Overview
Thymeleaf <= 3.1.3.RELEASE contains a server-side template injection caused by improper neutralization of specific syntax patterns in expression execution, letting unauthenticated remote attackers execute unauthorized expressions, exploit requires unvalidated user input passed to the template engine.
Severity & Score
Severity: Critical
CVSS Score: 9.0
Impact
Unauthenticated remote attackers can execute unauthorized server-side template expressions, potentially leading to remote code execution or data compromise.
Mitigation
Upgrade to version 3.1.4.RELEASE or later.
Related Resources
Details
- CVE ID
- CVE-2026-40478
- Severity
- Critical
- CVSS Score
- 9.0
- Type
- template_injection
- Status
- new
CWE
- CWE-917
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H