CVE-2026-40477 | thymeleaf/thymeleaf-spring5/thymeleaf-spring6 up to 3.1.3 expression language injection (GHSA-r4v4-5mwr-2fwr)

A vulnerability identified as problematic has been detected in thymeleaf, thymeleaf-spring5 and thymeleaf-spring6 up to 3.1.3. This affects an unknown function. The manipulation leads to improper neutralization of special elements used in an expression language statement.

This vulnerability is uniquely identified as CVE-2026-40477. The attack is possible to be carried out remotely. No exploit exists.

You should upgrade the affected component.VulDB Recent EntriesRead More