CVE-2026-40478: Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf

April 15, 2026 (updated April 24, 2026)

A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library’s protections to achieve Server-Side Template Injection (SSTI).

References

github.com/advisories/GHSA-xjw8-8c5c-9r79
github.com/thymeleaf/thymeleaf
github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79
nvd.nist.gov/vuln/detail/CVE-2026-40478

Code Behaviors & Features

Detect and mitigate CVE-2026-40478 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →