A critical CVSS 9.1 vulnerability (CVE-2026-40478) has been patched in Thymeleaf, the widely used Java Spring template engine. The flaw is a Server-Side Template Injection (SSTI) issue that allows unauthenticated attackers to bypass the library's sandbox protections and achieve remote code execution. The bypass exploits two weaknesses: a string check that only blocked ASCII space characters after the 'new' keyword (missing tab and other whitespace), and a class blocklist that covered 'java.*' but not 'org.springframework.*' classes. Researchers from Endor Labs built a working proof-of-concept using a tab character and a Spring FileSystemResource class. All Thymeleaf versions before 3.1.4.RELEASE are affected, no workaround exists, and immediate upgrade is strongly advised.
Sort: