Thymeleaf SSTI allows server-side code execution (CVE-2026-40477)

Overview

A critical security bypass vulnerability in the Thymeleaf Java template engine could allow attackers to execute arbitrary code on affected servers. Tracked as CVE-2026-40477, this flaw resides in versions 3.1.3.RELEASE and earlier.

Vulnerability Details

Thymeleaf is designed to safely process templates by restricting the objects a template can access. This vulnerability breaks that security boundary. The library’s expression execution mechanisms fail to properly restrict the scope of accessible objects, allowing an attacker to reach sensitive internal objects. When an application passes unvalidated user input directly to the template engine, an attacker can inject malicious expressions. This results in Server-Side Template Injection (SSTI), effectively bypassing the library’s built-in protections.

Impact and Severity

This is a critical vulnerability with a CVSS score of 9.0. An unauthenticated remote attacker could exploit this flaw to execute arbitrary code on the server hosting the vulnerable Thymeleaf application. The potential consequences are severe, including:

• Full compromise of the application server.
• Theft of sensitive data, such as database credentials or user information.
• Deployment of ransomware or other malware on the host system. The attack can be performed over the network with no user interaction required, making it highly exploitable.

Affected Versions and Remediation

All versions of Thymeleaf up to and including 3.1.3.RELEASE are affected.

Primary Fix: The only complete remediation is to upgrade to Thymeleaf version 3.1.4.RELEASE or later. This update contains the necessary fixes to properly restrict object access within templates. Developers should update their project dependencies immediately.

Mitigation (If Patching is Delayed): As an interim measure, application developers must rigorously validate and sanitize all user input before it is passed to the Thymeleaf template engine for processing. However, input validation is complex and error-prone; upgrading the library is the strongly recommended action. Organizations should review their applications for any signs of compromise, as this type of vulnerability is a prime target for attackers seeking initial access. For more on the tactics of modern attackers, you can review recent security news.

Security Insight

This vulnerability highlights the persistent risk in abstraction layers designed for safety, like template engines. When the core security promise of “sandboxing” fails, it can instantly expose a vast number of applications that trusted the library’s integrity. Similar template engine SSTI flaws in other ecosystems, such as certain Python and JavaScript frameworks, have historically been rapidly weaponized following disclosure, underscoring the urgency for Java developers to apply this patch.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs