GHSA-r4v4-5mwr-2fwr

Source

https://github.com/advisories/GHSA-r4v4-5mwr-2fwr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r4v4-5mwr-2fwr/GHSA-r4v4-5mwr-2fwr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r4v4-5mwr-2fwr

Aliases

CVE-2026-40477

Published

2026-04-15T19:46:04Z

Modified

2026-05-05T16:10:40.722195Z

Severity

9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Improper restriction of the scope of accessible objects in Thymeleaf expressions

Details

Impact

A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI).

Patches

This has been fixed in Thymeleaf 3.1.4.RELEASE.

Workarounds

No workaround is available beyond ensuring applications do not pass unvalidated user input directly to the template engine. Upgrading to 3.1.4.RELEASE is strongly recommended in any case.

Credits

Thanks to Thomas Reburn (Praetorian) for responsible disclosure.

Database specific

{
    "nvd_published_at": "2026-04-17T22:16:33Z",
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-1336",
        "CWE-917"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-15T19:46:04Z"
}

References

Affected packages

Maven / org.thymeleaf:thymeleaf

Package

Name: org.thymeleaf:thymeleaf; View open source insights on deps.dev
Purl: pkg:maven/org.thymeleaf/thymeleaf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.4.RELEASE

Affected versions

Other

1.*

1.0.0-beta1

1.0.0-beta2

1.0.0-beta3

1.0.0-beta4

1.0.0-beta5

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

2.*

2.0.0-beta1

2.0.0-beta2

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.18

2.0.19

2.0.20

2.0.21

2.1.0-beta1

2.1.0-beta2

2.1.0-m1

2.1.0-m2

2.1.0-m3

2.1.0.RELEASE

2.1.1.RELEASE

2.1.2.RELEASE

2.1.3.RELEASE

2.1.4.RELEASE

2.1.5.RELEASE

2.1.6.RELEASE

3.*

3.0.0.ALPHA01

3.0.0.ALPHA02

3.0.0.ALPHA03

3.0.0.BETA01

3.0.0.BETA02

3.0.0.BETA03

3.0.0.RELEASE

3.0.1.RELEASE

3.0.2.RELEASE

3.0.3.RELEASE

3.0.4.RELEASE

3.0.5.RELEASE

3.0.6.RELEASE

3.0.7.RELEASE

3.0.8.RELEASE

3.0.9.RELEASE

3.0.10.RELEASE

3.0.11.RELEASE

3.0.12.RELEASE

3.0.13.RELEASE

3.0.14.RELEASE

3.0.15.RELEASE

3.1.0.M1

3.1.0.M2

3.1.0.M3

3.1.0.RC1

3.1.0.RC2

3.1.0.RELEASE

3.1.1.RELEASE

3.1.2.RELEASE

3.1.3.RELEASE

Database specific

last_known_affected_version_range

"<= 3.1.3.RELEASE"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r4v4-5mwr-2fwr/GHSA-r4v4-5mwr-2fwr.json"

Maven / org.thymeleaf:thymeleaf-spring5

Package

Name: org.thymeleaf:thymeleaf-spring5; View open source insights on deps.dev
Purl: pkg:maven/org.thymeleaf/thymeleaf-spring5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.4.RELEASE

Affected versions

3.*

3.0.3.M1

3.0.4.M2

3.0.5.M3

3.0.6.M4

3.0.7.RC1

3.0.8.RELEASE

3.0.9.RELEASE

3.0.10.RELEASE

3.0.11.RELEASE

3.0.12.RELEASE

3.0.13.RELEASE

3.0.14.RELEASE

3.0.15.RELEASE

3.1.0.M1

3.1.0.M2

3.1.0.M3

3.1.0.RC1

3.1.0.RC2

3.1.0.RELEASE

3.1.1.RELEASE

3.1.2.RELEASE

3.1.3.RELEASE

Database specific

last_known_affected_version_range

"<= 3.1.3.RELEASE"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r4v4-5mwr-2fwr/GHSA-r4v4-5mwr-2fwr.json"

Maven / org.thymeleaf:thymeleaf-spring6

Package

Name: org.thymeleaf:thymeleaf-spring6; View open source insights on deps.dev
Purl: pkg:maven/org.thymeleaf/thymeleaf-spring6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.4.RELEASE

Affected versions

3.*

3.1.0.M1

3.1.0.M2

3.1.0.M3

3.1.0.RC1

3.1.0.RC2

3.1.0.RELEASE

3.1.1.RELEASE

3.1.2.RELEASE

3.1.3.RELEASE

Database specific

last_known_affected_version_range

"<= 3.1.3.RELEASE"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r4v4-5mwr-2fwr/GHSA-r4v4-5mwr-2fwr.json"