Vulnerable Library - spring-boot-starter-thymeleaf-3.3.5.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.2.RELEASE/6030c7b4e260c41336f378e53da6e8531263f24b/thymeleaf-spring6-3.1.2.RELEASE.jar
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (spring-boot-starter-thymeleaf version) |
Remediation Possible** |
| CVE-2026-40478 |
 Critical |
9.0 |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
| CVE-2026-40477 |
Critical |
9.0 |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-40478
Vulnerable Libraries - thymeleaf-spring6-3.1.2.RELEASE.jar, thymeleaf-3.1.2.RELEASE.jar
thymeleaf-spring6-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.2.RELEASE/6030c7b4e260c41336f378e53da6e8531263f24b/thymeleaf-spring6-3.1.2.RELEASE.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-3.3.5.jar (Root Library)
- ❌ thymeleaf-spring6-3.1.2.RELEASE.jar (Vulnerable Library)
thymeleaf-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf/3.1.2.RELEASE/273997509a4c7aef86cee0521750140c587d9be2/thymeleaf-3.1.2.RELEASE.jar,/pom.xml
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-3.3.5.jar (Root Library)
- thymeleaf-spring6-3.1.2.RELEASE.jar
- ❌ thymeleaf-3.1.2.RELEASE.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Impact A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). Patches This has been fixed in Thymeleaf 3.1.4.RELEASE. Workarounds No workaround is available beyond ensuring applications do not pass unvalidated user input directly to the template engine. Upgrading to 3.1.4.RELEASE is strongly recommended in any case. Credits Thanks to Dawid Bakaj (VIPentest.com) for responsible disclosure.
Publish Date: 2026-04-16
URL: CVE-2026-40478
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xjw8-8c5c-9r79
Release Date: 2026-04-18
Fix Resolution: org.thymeleaf:thymeleaf:3.1.4.RELEASE,org.thymeleaf:thymeleaf-spring6:3.1.4.RELEASE,org.thymeleaf:thymeleaf-spring5:3.1.4.RELEASE
CVE-2026-40477
Vulnerable Libraries - thymeleaf-3.1.2.RELEASE.jar, thymeleaf-spring6-3.1.2.RELEASE.jar
thymeleaf-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf/3.1.2.RELEASE/273997509a4c7aef86cee0521750140c587d9be2/thymeleaf-3.1.2.RELEASE.jar,/pom.xml
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-3.3.5.jar (Root Library)
- thymeleaf-spring6-3.1.2.RELEASE.jar
- ❌ thymeleaf-3.1.2.RELEASE.jar (Vulnerable Library)
thymeleaf-spring6-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.2.RELEASE/6030c7b4e260c41336f378e53da6e8531263f24b/thymeleaf-spring6-3.1.2.RELEASE.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-3.3.5.jar (Root Library)
- ❌ thymeleaf-spring6-3.1.2.RELEASE.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Impact A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). Patches This has been fixed in Thymeleaf 3.1.4.RELEASE. Workarounds No workaround is available beyond ensuring applications do not pass unvalidated user input directly to the template engine. Upgrading to 3.1.4.RELEASE is strongly recommended in any case. Credits Thanks to Thomas Reburn (Praetorian) for responsible disclosure.
Publish Date: 2026-04-16
URL: CVE-2026-40477
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r4v4-5mwr-2fwr
Release Date: 2026-04-18
Fix Resolution: org.thymeleaf:thymeleaf:3.1.4.RELEASE,org.thymeleaf:thymeleaf-spring6:3.1.4.RELEASE,org.thymeleaf:thymeleaf-spring5:3.1.4.RELEASE
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.2.RELEASE/6030c7b4e260c41336f378e53da6e8531263f24b/thymeleaf-spring6-3.1.2.RELEASE.jar
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Libraries - thymeleaf-spring6-3.1.2.RELEASE.jar, thymeleaf-3.1.2.RELEASE.jar
thymeleaf-spring6-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.2.RELEASE/6030c7b4e260c41336f378e53da6e8531263f24b/thymeleaf-spring6-3.1.2.RELEASE.jar
Dependency Hierarchy:
thymeleaf-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf/3.1.2.RELEASE/273997509a4c7aef86cee0521750140c587d9be2/thymeleaf-3.1.2.RELEASE.jar,/pom.xml
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Impact A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). Patches This has been fixed in Thymeleaf 3.1.4.RELEASE. Workarounds No workaround is available beyond ensuring applications do not pass unvalidated user input directly to the template engine. Upgrading to 3.1.4.RELEASE is strongly recommended in any case. Credits Thanks to Dawid Bakaj (VIPentest.com) for responsible disclosure.
Publish Date: 2026-04-16
URL: CVE-2026-40478
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xjw8-8c5c-9r79
Release Date: 2026-04-18
Fix Resolution: org.thymeleaf:thymeleaf:3.1.4.RELEASE,org.thymeleaf:thymeleaf-spring6:3.1.4.RELEASE,org.thymeleaf:thymeleaf-spring5:3.1.4.RELEASE
Vulnerable Libraries - thymeleaf-3.1.2.RELEASE.jar, thymeleaf-spring6-3.1.2.RELEASE.jar
thymeleaf-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf/3.1.2.RELEASE/273997509a4c7aef86cee0521750140c587d9be2/thymeleaf-3.1.2.RELEASE.jar,/pom.xml
Dependency Hierarchy:
thymeleaf-spring6-3.1.2.RELEASE.jar
Library home page: https://www.thymeleaf.org
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.2.RELEASE/6030c7b4e260c41336f378e53da6e8531263f24b/thymeleaf-spring6-3.1.2.RELEASE.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Impact A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). Patches This has been fixed in Thymeleaf 3.1.4.RELEASE. Workarounds No workaround is available beyond ensuring applications do not pass unvalidated user input directly to the template engine. Upgrading to 3.1.4.RELEASE is strongly recommended in any case. Credits Thanks to Thomas Reburn (Praetorian) for responsible disclosure.
Publish Date: 2026-04-16
URL: CVE-2026-40477
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-r4v4-5mwr-2fwr
Release Date: 2026-04-18
Fix Resolution: org.thymeleaf:thymeleaf:3.1.4.RELEASE,org.thymeleaf:thymeleaf-spring6:3.1.4.RELEASE,org.thymeleaf:thymeleaf-spring5:3.1.4.RELEASE