Thymeleaf SSTI Bypass Enables Expression Injection in Spring Java Apps
A critical flaw tracked as CVE-2026-40478 allows attackers to bypass Thymeleaf’s expression-injection protections and achieve server-side template injection (SSTI) in applications that pass unvalidated user input into the template engine. The vulnerability affects Thymeleaf 3.1.3.RELEASE and earlier and stems from improper neutralization of syntax patterns in expression execution, including a whitespace parsing mismatch that let attackers evade detection of the SpEL new keyword and an incomplete type blocklist that still allowed dangerous class instantiation. The issue is mapped to CWE-917 and CWE-1336, with a published CVSS v3.1 vector of AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H.
Researchers said successful exploitation can enable arbitrary file writes and potentially remote code execution in Spring-based Java applications, where Thymeleaf is commonly used as the default template engine in Spring Boot. The flaw can be exploited remotely without authentication when attacker-controlled input reaches Thymeleaf expression parsing, view names, or fragment selectors. The issue is addressed in 3.1.4.RELEASE, which normalizes whitespace before checks, expands external-access detection, restricts dangerous expression objects, and tightens type restrictions; defenders are urged to upgrade thymeleaf, thymeleaf-spring5, and thymeleaf-spring6 and review applications to ensure untrusted input is never interpreted as template expressions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-40478 is published for Thymeleaf expression injection bypass
A CVE was published for a security bypass in Thymeleaf 3.1.3.RELEASE and earlier that can let an unauthenticated remote attacker achieve server-side template injection when applications pass unvalidated user input into template expressions. The issue was mapped to CWE-917 and CWE-1336 and referenced GitHub Security Advisory GHSA-xjw8-8c5c-9r79.
Thymeleaf fixes SSTI sandbox bypass in version 3.1.4.RELEASE
Thymeleaf addressed CVE-2026-40478 in version 3.1.4.RELEASE, fixing expression-sandbox bypasses caused by whitespace parsing mismatches and insufficient type restrictions. The update normalized whitespace before checks, expanded external-access detection, restricted dangerous expression objects, and tightened type restrictions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
The Thymeleaf Template Injection That Only Hurts If You Let It : r/netsec
reddit.com
Open sourceCVE-2026-40478 - Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf
cvefeed.io
Open sourceIt's About Thyme: How a Whitespace Character Broke Thymeleaf's Expression Sandbox (CVE-2026-40478) | Blog | Endor Labs
endorlabs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Spring Security Flaw Leaves HTTP Security Headers Unwritten
Spring disclosed **`CVE-2026-22732`**, a vulnerability in **Spring Security** in which HTTP security headers may not be written under certain conditions, weakening browser-side protections that applications rely on to reduce exposure to client-side attacks. The issue affects the framework’s handling of response headers, creating a risk that expected defenses are absent even when developers believe they are enabled. Belgium’s **CCB Safeonweb** warned that the flaw can enable **multiple types of client-side attacks** and urged organizations to **patch immediately**. The combined advisories indicate that teams using Spring Security should review affected versions, apply vendor fixes, and verify that critical response headers are being sent correctly to browsers after remediation.
Mar 20, 2026
Critical SSTI in JTL Shop Enables Unauthenticated RCE and Webshell Deployment
A critical **server-side template injection** flaw tracked as `CVE-2026-54390` affects **JTL Shop** versions **5.2.0 through 5.7.1**, where unsanitized user input is passed to the **Smarty** template engine. The vulnerability allows **unauthenticated remote attackers** to inject malicious template syntax and access sensitive server-side information, including **database credentials** and **encryption keys**. On **JTL Shop 5.4.0 through 5.7.1**, the flaw can be escalated to **remote code execution** by abusing registered Smarty modifiers such as `unserialize` and `file_get_contents` to write a **webshell** into the web root and run arbitrary commands as the web server user. The issue has been rated **critical** with **CVSS 3.1 9.8** and **CVSS 4.0 9.3**, and affected organizations are advised to upgrade to **JTL Shop 5.7.2 or later** and ensure user input reaching the template engine is properly sanitized.
Jun 18, 2026
Spring patches LDAP auth bypass and multiple DoS flaws across Framework and Data
Spring disclosed a broad set of vulnerabilities across **Spring Framework**, **Spring Data Commons**, and **Spring LDAP**, including a high-severity authentication bypass tracked as `CVE-2026-41720`. The LDAP flaw allows login with a valid username and an empty or null password when the backing LDAP server permits unauthenticated binds, affecting authentication flows that use `AbstractContextSource`, `LdapTemplate`, or `LdapClient`. Spring also fixed a low-severity WebFlux session fixation issue (`CVE-2026-41839`) tied to compromised subdomains, and an information disclosure bug (`CVE-2026-41841`) in Spring MVC and WebFlux where shared static-resource caches could expose protected files if a public resource with the same name had already been cached. Several denial-of-service issues were patched at the same time. In Spring Framework, `CVE-2026-41840` can leak memory through malicious multipart requests in WebFlux, while `CVE-2026-41842` can tie up HTTP connections through slow resolution of versioned file-system resources in Spring MVC or WebFlux. In Spring Data Commons, `CVE-2026-41695`, `CVE-2026-41711`, `CVE-2026-41716`, and `CVE-2026-41721` can be triggered by attacker-controlled property paths, sort parameters, property names, or `@ProjectedPayload` data binding, leading to stack overflows, heap exhaustion, or excessive memory allocation when applications expose those inputs to untrusted users. Spring urged customers to upgrade to fixed releases, including Framework `7.0.8`, `6.2.19`, and `6.1.28`, Data Commons `4.0.6` and `3.5.12`, and LDAP `2.4.5`, `3.2.18`, `3.3.8`, or `4.0.4`, with some older branches receiving fixes only through commercial support.
Jun 11, 2026