112 matches found
CVE-2026-40477
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly...
CVE-2026-40478
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly...
CVE-2026-40478 Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly...
CVE-2026-40478
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly...
CVE-2026-40478 Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly...
CVE-2026-40478
CVE-2026-40478 affects the Thymeleaf Java template engine (versions up to 3.1.3.RELEASE). A security bypass allows unauthenticated SSTI by passing unvalidated input to the expression evaluation mechanism; this is fixed in 3.1.4.RELEASE. Connected sources consistently state the root cause as impro...
CVE-2026-40477 Improper restriction of the scope of accessible objects in Thymeleaf expressions
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly...
CVE-2026-40477
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly...
CVE-2026-40477
Thymeleaf (Java template engine) versions up to 3.1.3.RELEASE are affected by an SSTI vulnerability in expression execution, where unvalidated user input can bypass protections and access potentially sensitive objects within a template. This is a security bypass allowing unauthenticated remote ex...
CVE-2026-40477 Improper restriction of the scope of accessible objects in Thymeleaf expressions
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly...
thymeleaf 安全漏洞
Thymeleaf is an open-source Java template engine developed by Thymeleaf projects. Versions of Thymeleaf 3.1.3.RELEASE and earlier contain security vulnerabilities. These vulnerabilities stem from a security bypass in the expression execution mechanism; certain syntax patterns are not properly...
thymeleaf 安全漏洞
Thymeleaf is an open-source Java template engine developed by Thymeleaf projects. Versions of Thymeleaf 3.1.3.RELEASE and earlier contain security vulnerabilities. These vulnerabilities stem from a security bypass in the expression execution mechanism; access to certain objects is not properly...
ai.hyacinth.framework:core-service-admin-server (>=0.5.0 <=0.5.24), am.ik.home:uaa-server (>=1.0.0 <=1.9.0) +3237 more potentially affected by CVE-2026-40478 via org.thymeleaf:thymeleaf (>=m1 <=3.1.3.RELEASE)
org.thymeleaf:thymeleaf MAVEN version =m1, =0.5.0, =1.0.0, =0.9.6, =0.9.6, =1.0.0, =0.0.1, =1.0.0, =1.0, =3.4.0, =5.6.5, =4.1.0, =6.4.7 and more Source cves: CVE-2026-40478 Source advisory: OSV:GHSA-XJW8-8C5C-9R79...
best.skn:skn-spring-mail (>=1.0.0 <=2.4.0), ca.uhn.hapi.fhir:hapi-fhir-cli-api (>=7.0.0 <=8.8.1) +746 more potentially affected by CVE-2026-40478 via org.thymeleaf:thymeleaf-spring6 (>=3.1.0.M1 <=3.1.3.RELEASE)
org.thymeleaf:thymeleaf-spring6 MAVEN version =3.1.0.M1, =1.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.6.0, =7.6.0, =7.0.0, =7.0.0, =8.8.1 and more Source cves: CVE-2026-40478 Source advisory: SNYK:JAVA-ORGTHYMELEAF-16078377...
ai.hyacinth.framework:core-service-admin-server (>=0.5.0 <=0.5.24), au.org.consumerdatastandards:client-cli (>=1.1.1 <=2.4.1) +1473 more potentially affected by CVE-2026-40478 via org.thymeleaf:thymeleaf-spring5 (>=3.0.10.RELEASE <=3.1.3.RELEASE)
org.thymeleaf:thymeleaf-spring5 MAVEN version =3.0.10.RELEASE, =0.5.0, =1.1.1, =3.4.0, =5.6.5, =4.1.0, =4.1.0, =3.7.0, =3.7.0, =5.3.0, =6.2.0, =5.1.0, =6.8.0, =6.4.0, =5.3.0, =3.7.0, =5.5.7 and more Source cves: CVE-2026-40478 Source advisory: SNYK:JAVA-ORGTHYMELEAF-16078378...
ai.hyacinth.framework:core-service-admin-server (>=0.5.0 <=0.5.24), au.com.cybernostics:theme-tree (=0.9.0) +2936 more potentially affected by CVE-2026-40478 via org.thymeleaf:thymeleaf (>=3.0.0.ALPHA01 <=3.1.3.RELEASE)
org.thymeleaf:thymeleaf MAVEN version =3.0.0.ALPHA01, =0.5.0, =0.9.6, =0.9.6, =1.0.0, =0.0.1, =1.0.0, =1.0, =3.4.0, =5.6.5, =4.1.0, =4.1.0, =3.6.0, =5.0.0, =5.5.7 and more Source cves: CVE-2026-40478 Source advisory: SNYK:JAVA-ORGTHYMELEAF-16078379...
ca.uhn.hapi.fhir:hapi-fhir-cli-api (>=6.10.0 <=6.10.5), ca.uhn.hapi.fhir:hapi-fhir-cli-app (>=6.10.0 <=6.10.5) +162 more potentially affected by CVE-2026-40478 via org.thymeleaf:thymeleaf-spring5 (>=3.0.9.RELEASE <=3.1.3.RELEASE)
org.thymeleaf:thymeleaf-spring5 MAVEN version =3.0.9.RELEASE, =6.10.0, =6.10.0, =6.10.0, =6.10.0, =6.10.0, =6.10.0, =6.10.0, =6.10.0, =6.10.0, =6.10.0, =6.10.0, =6.10.0, =1.19.0, =v1.1, =v1.2 - cn.haoxiaoyong.ocr.email:email-msg =v1.0 and more Source cves: CVE-2026-40478 Source advisory:...
best.skn:skn-spring-mail (>=1.0.0 <=2.4.0), ca.uhn.hapi.fhir:hapi-fhir-cli-api (>=7.0.0 <=8.8.1) +746 more potentially affected by CVE-2026-40478 via org.thymeleaf:thymeleaf-spring6 (>=3.1.0.M1 <=3.1.3.RELEASE)
org.thymeleaf:thymeleaf-spring6 MAVEN version =3.1.0.M1, =1.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.6.0, =7.6.0, =7.0.0, =7.0.0, =8.8.1 and more Source cves: CVE-2026-40478 Source advisory: OSV:GHSA-XJW8-8C5C-9R79...
Template Injection
Overview Affected versions of this package are vulnerable to Template Injection due to the TemplateEngine's improper invalidation of certain syntactic patterns during expression evaluation. An attacker can inject into sensitive objects to execute unauthorized actions. Remediation Upgrade...
Template Injection
Overview Affected versions of this package are vulnerable to Template Injection due to the TemplateEngine's improper invalidation of certain syntactic patterns during expression evaluation. An attacker can inject into sensitive objects to execute unauthorized actions. Remediation Upgrade...