Thymeleaf SSTI Flaw Enables Java RCE via Template Injection

A critical server-side template injection vulnerability in Thymeleaf allows attackers to bypass the Java template engine's expression evaluation protections and execute arbitrary code on vulnerable servers. CVE-2026-40478 affects all Thymeleaf versions prior to 3.1.4.RELEASE.

Thymeleaf is one of the most widely used template engines in the Java ecosystem, particularly popular with Spring Boot applications. The vulnerability has significant reach across enterprise Java deployments.

How the Bypass Works

Thymeleaf's expression evaluation system includes protections meant to prevent server-side template injection attacks. CVE-2026-40478 exploits flaws in these protections through several vectors:

• Obfuscated input that evades pattern-based blocking
• Partially encoded data that bypasses validation
• Overlooked escape rules in expression parsing

When a developer passes user input directly to template expressions—a common anti-pattern in web applications—attackers can inject malicious expressions that execute arbitrary Java code.

Proof of Concept

Consider a vulnerable Spring controller:

@GetMapping("/hello")
public String hello(@RequestParam("name") String name, Model model) {
    model.addAttribute("username", name);
    return "hello";
}

An attacker could craft a request like:

GET /hello?name=$[T(java.lang.Runtime).getRuntime().exec('id')]

This executes the id command on the server. In real attacks, threat actors would use this to establish reverse shells, deploy webshells, or exfiltrate data.

The vulnerability is particularly dangerous because template injection often occurs in error handling paths, logging functions, or dynamic content generation—areas where security review may be less rigorous.

Who's Affected

Any application using Thymeleaf versions prior to 3.1.4.RELEASE that passes user-controlled input to template expressions. This includes:

• Spring Boot applications using Thymeleaf as the view layer
• Legacy Java web applications with custom Thymeleaf integration
• Content management systems built on Thymeleaf templating

The vulnerability requires user input to reach template expression evaluation. Applications that properly sanitize inputs or avoid dynamic expression construction may not be directly exploitable—but defense in depth requires upgrading regardless.

Template Injection in Context

Server-side template injection has become a recurring theme in recent vulnerability news. Template engines trade off flexibility for security, and small gaps in expression evaluation can have severe consequences.

We've seen similar patterns in other templating technologies. The fundamental issue—treating user input as code—mirrors SQL injection and command injection vulnerabilities that have plagued applications for decades. Unlike those attack classes, SSTI often escapes detection by traditional web application firewalls because payloads can be heavily obfuscated.

Remediation Steps

1. Upgrade to Thymeleaf 3.1.4.RELEASE or later immediately
2. Audit template usage for any instances where user input reaches expression evaluation
3. Never pass untrusted input directly to expressions—treat all user data as potential attack payloads
4. Use parameterized templates where dynamic content is needed
5. Implement input validation at the application layer before data reaches the template engine

Detection Guidance

Organizations should monitor for:

• Unusual Java process execution from web application contexts
• Template error messages in logs that include expression syntax
• Outbound connections from application servers to unexpected destinations
• Web requests containing expression syntax characters ($, #, @, {, })

The vulnerability disclosure and technical details are available through CVE databases, though given NIST's recent prioritization changes, enrichment data may be limited depending on whether this CVE meets federal software criteria.

Java shops running Thymeleaf should treat this as urgent. Template injection vulnerabilities enable immediate code execution with no additional exploitation steps required.