Critical sandbox bypass fixed in popular Thymeleaf Java template engine
Summary
Maintainers of the Thymeleaf Java template engine have released a critical fix for a Server-Side Template Injection (SSTI) vulnerability, tracked as CVE-2026-40478. This flaw allows unauthenticated attackers to bypass sandbox protections and execute malicious code on servers by injecting crafted input into the template engine. The vulnerability impacts all Thymeleaf versions prior to 3.1.4.RELEASE, and due to the widespread use of Thymeleaf in the Java Spring ecosystem, a significant number of enterprise applications could be affected.
IFF Assessment
This vulnerability allows unauthenticated remote attackers to execute arbitrary code on servers, posing a direct threat to the confidentiality, integrity, and availability of affected systems.
Severity
The vulnerability allows for Server-Side Template Injection (SSTI) with an attack vector that is Network-based, requires no privileges, and has no user interaction. The impact includes complete compromise of Confidentiality, Integrity, and Availability.
Defender Context
This vulnerability is critical for organizations using Thymeleaf in their Java web applications, especially those integrated with the Spring framework. Defenders must prioritize upgrading to Thymeleaf version 3.1.4.RELEASE immediately to mitigate the risk of remote code execution. Careful code review and input validation practices are essential, particularly for dynamic content passed to template engines.