Maintainers of Thymeleaf, a widely used template engine for Java web applications, fixed a rare critical vulnerability that allows unauthenticated attackers to execute malicious code on servers. The vulnerability, tracked as CVE-2026-40478, is rated 9.1 on the CVSS severity scale and is described as a Server-Side Template Injection (SSTI) issue. Thymeleaf has a sandbox-like protection that prevents user input from executing dangerous expressions, but this flaw allows attackers to bypass those protections. “Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions,...