Class based , object oriented programming language. Designed to have less dependencies as possible. The syntex of Java is smilier to C and C++. Commonly used for client-server applications. Java files are compiled by JVM (Java Virtual Machine)

Java

### Impact
A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI).
### Patches
This has been fixed in Thymeleaf 3.1.4.RELEASE.
### Workarounds
No workaround is available beyond ensuring applications do not pass unvalidated user input directly to the template engine. Upgrading to 3.1.4.RELEASE is strongly recommended in any case.
### Credits
Thanks to Dawid Bakaj (VIPentest.com) for responsible disclosure.

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-40478	CRITICAL	9	Java	org.thymeleaf:thymeleaf-spring5	No	Yes	Apr 15, 2026
CVE-2026-40477	CRITICAL	9	Java	org.thymeleaf:thymeleaf-spring6	No	Yes	Apr 15, 2026
CVE-2026-40882	HIGH	7.6	Java	io.openremote:openremote-manager	No	Yes	Apr 15, 2026
GHSA-gj7p-595x-qwf5	MEDIUM	6.8	Java	dev.dsf:dsf-common-jetty	No	Yes	Apr 15, 2026
GHSA-xmj9-7625-f634	MEDIUM	6.3	Java	dev.dsf:dsf-bpe-server	No	Yes	Apr 15, 2026

CVE-2026-40478:
Java vulnerability analysis and mitigation

Impact

Patches

Workarounds

Credits

9

Related Java vulnerabilities:

Benchmark your Cloud Security Posture

Additional Wiz resources

Cloud Vulnerability DB

Cloud Threat Landscape

PEACH

Ready to see Wiz in action?

CVE-2026-40478: Java vulnerability analysis and mitigation