{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40477", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-13T19:50:42.113Z", "datePublished": "2026-04-17T21:53:47.271Z", "dateUpdated": "2026-04-22T03:55:41.093Z"}, "containers": {"cna": {"title": "Improper restriction of the scope of accessible objects in Thymeleaf expressions", "problemTypes": [{"descriptions": [{"cweId": "CWE-917", "lang": "en", "description": "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr"}], "affected": [{"vendor": "thymeleaf", "product": "thymeleaf", "versions": [{"version": "< 3.1.4.RELEASE", "status": "affected"}]}, {"vendor": "thymeleaf", "product": "org.thymeleaf:thymeleaf-spring5", "versions": [{"version": "< 3.1.4.RELEASE", "status": "affected"}]}, {"vendor": "thymeleaf", "product": "org.thymeleaf:thymeleaf-spring6", "versions": [{"version": "< 3.1.4.RELEASE", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T21:53:47.271Z"}, "descriptions": [{"lang": "en", "value": "Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE."}], "source": {"advisory": "GHSA-r4v4-5mwr-2fwr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-40477"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T03:55:41.093Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40477", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T13:23:45.621367Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:32:39.391Z"}}], "cna": {"title": "Improper restriction of the scope of accessible objects in Thymeleaf expressions", "source": {"advisory": "GHSA-r4v4-5mwr-2fwr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "thymeleaf", "product": "thymeleaf", "versions": [{"status": "affected", "version": "< 3.1.4.RELEASE"}]}, {"vendor": "thymeleaf", "product": "org.thymeleaf:thymeleaf-spring5", "versions": [{"status": "affected", "version": "< 3.1.4.RELEASE"}]}, {"vendor": "thymeleaf", "product": "org.thymeleaf:thymeleaf-spring6", "versions": [{"status": "affected", "version": "< 3.1.4.RELEASE"}]}], "references": [{"url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr", "name": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-917", "description": "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T21:53:47.271Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40477", "state": "PUBLISHED", "dateUpdated": "2026-04-22T03:55:41.093Z", "dateReserved": "2026-04-13T19:50:42.113Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T21:53:47.271Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thymeleaf:thymeleaf:*:*:*:*:*:*:*:*", "matchCriteriaId": "1719DA8A-E398-4802-AF24-0A2558214772", "versionEndExcluding": "3.1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE."}], "id": "CVE-2026-40477", "lastModified": "2026-04-24T16:58:57.837", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T22:16:33.500", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-917"}, {"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "thymeleaf: Thymeleaf: Server-Side Template Injection via security bypass in expression execution", "id": "2459344", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459344"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-917", "details": ["Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.", "A flaw was found in Thymeleaf, a server-side Java template engine. An unauthenticated remote attacker can exploit a security bypass vulnerability in the expression execution mechanisms. By providing unvalidated user input directly to the template engine, the attacker can bypass the library's protections, leading to Server-Side Template Injection (SSTI). This allows access to potentially sensitive objects from within a template."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-40477", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "camel-thymeleaf", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "thymeleaf", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "thymeleaf", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Affected", "package_name": "smallrye-mutiny-vertx-web-templ-thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Affected", "package_name": "thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Affected", "package_name": "vertx-web-templ-thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "smallrye-mutiny-vertx-web-templ-thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "vertx-web-templ-thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "smallrye-mutiny-vertx-web-templ-thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "spring-boot-starter-thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "thymeleaf-extras-java8time", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "thymeleaf-spring5", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "vertx-web-templ-thymeleaf", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "spring-boot-starter-thymeleaf", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "thymeleaf", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "thymeleaf-extras-java8time", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "thymeleaf-spring5", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2026-04-17T21:53:47Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40477\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40477\nhttps://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.1.4.RELEASE)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "org.thymeleaf:thymeleaf-spring5", "source": "cna", "vendor": "thymeleaf"}, "product": "org.thymeleaf:thymeleaf-spring5", "vendor": "thymeleaf"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.1.4.RELEASE)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "org.thymeleaf:thymeleaf-spring6", "source": "cna", "vendor": "thymeleaf"}, "product": "org.thymeleaf:thymeleaf-spring6", "vendor": "thymeleaf"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.1.4.RELEASE)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "thymeleaf", "source": "cna", "vendor": "thymeleaf"}, "product": "thymeleaf", "vendor": "thymeleaf"}], "analysis": {"en": {"generated_at": "2026-04-18T08:52:40.843376+00:00", "value": {"mitigation_remediation": ["Upgrade Thymeleaf to 3.1.4.RELEASE or later", "Validate and sanitize all data before passing it to the template engine to ensure no user input reaches the expression evaluator", "Configure the Thymeleaf context to expose only the objects required by the application, reducing the potential attack surface"], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Side Template Injection"}, "threat_synthesis": {"affected_systems": "Versions 3.1.3.RELEASE and earlier of Thymeleaf, including the thymeleaf\u2011spring5, thymeleaf\u2011spring6, and core thymeleaf components, are affected. The fix began in 3.1.4.RELEASE.", "description_and_impact": "Thymeleaf\u2019s expression execution mechanism fails to properly restrict the scope of accessible objects, allowing an attacker to reach sensitive objects from within a template. When an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library\u2019s protections and achieve Server\u2011Side Template Injection, potentially exposing confidential data or executing arbitrary code. The weakness corresponds to CWE\u20111336 and CWE\u2011917.", "risk_and_exploitability": "The CVSS score of 9.1 indicates high severity, and the vulnerability is not listed in CISA KEV. Although no EPSS score is available, the description shows that the flaw can be exploited by any unauthenticated user who can inject input into a template. The likely attack vector involves inserting a malicious expression into user\u2011controlled data that is then rendered by the template engine."}}}}, "created": "2026-04-18T09:00:05.895972+00:00", "updated": "2026-04-20T14:59:29.257933+00:00", "vendors": ["thymeleaf", "thymeleaf$PRODUCT$org.thymeleaf:thymeleaf-spring5", "thymeleaf$PRODUCT$org.thymeleaf:thymeleaf-spring6", "thymeleaf$PRODUCT$thymeleaf"]}