top of page
perceptive_background_267k.jpg

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in…

Published:

16 april 2026 om 22:00:00

Alert date:

17 april 2026 om 23:02:26

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Supply Chain & Dependencies

Thymeleaf, a server-side Java template engine, contains a security bypass vulnerability in versions 3.1.3.RELEASE and prior. The vulnerability exists in the expression execution mechanisms where the library fails to properly neutralize specific syntax patterns. This allows unauthenticated remote attackers to bypass protections and achieve Server-Side Template Injection (SSTI) when developers pass unvalidated user input directly to the template engine. The issue affects web and standalone environments and has been fixed in version 3.1.4.RELEASE.

Technical details

Mitigation steps:

Affected products:

Thymeleaf

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-40478
https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page