CVE Vulnerabilities

CVE-2026-40478

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Published: Apr 17, 2026 | Modified: Jun 30, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
8.5 IMPORTANT
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Ubuntu
root.io logo minimus.io logo echo.ai logo

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the librarys protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.

Weakness

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

Affected Software

NameVendorStart VersionEnd Version
ThymeleafThymeleaf*3.1.4 (excluding)
Red Hat OpenShift Dev Spaces 3.28RedHatdevspaces/openvsx-rhel9:1779528224*
Red Hat OpenShift Dev Spaces 3.28RedHatdevspaces/pluginregistry-rhel9:1779359423*

Potential Mitigations

  • If user-controlled data must be added to an expression interpreter, one or more of the following should be performed:

References