Vulnerable Library - spring-boot-starter-thymeleaf-4.0.4.jar
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/7.0.6/2baeb353efd42374239cc45e8d02780d6c6e7a77/spring-web-7.0.6.jar
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (spring-boot-starter-thymeleaf version) |
Remediation Possible** |
| CVE-2026-40976 |
 Critical |
9.1 |
spring-boot-4.0.4.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-41901 |
Critical |
9.0 |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
| CVE-2026-40478 |
Critical |
9.0 |
detected in multiple dependencies |
Transitive |
4.0.6 |
❌ |
| CVE-2026-40477 |
Critical |
9.0 |
detected in multiple dependencies |
Transitive |
4.0.6 |
❌ |
| CVE-2026-40973 |
 High |
7.0 |
spring-boot-4.0.4.jar |
Transitive |
4.0.6 |
❌ |
| CVE-2026-22740 |
 Medium |
6.5 |
spring-web-7.0.6.jar |
Transitive |
4.0.6 |
❌ |
| CVE-2026-40974 |
Medium |
5.0 |
spring-boot-autoconfigure-4.0.4.jar |
Transitive |
4.0.6 |
❌ |
| CVE-2026-40971 |
Medium |
5.0 |
spring-boot-autoconfigure-4.0.4.jar |
Transitive |
4.0.6 |
❌ |
| CVE-2026-40975 |
Medium |
4.8 |
spring-boot-4.0.4.jar |
Transitive |
4.0.6 |
❌ |
| CVE-2026-40977 |
Medium |
4.7 |
spring-boot-4.0.4.jar |
Transitive |
4.0.6 |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-40976
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-4.0.4.jar (Root Library)
- spring-boot-thymeleaf-4.0.4.jar
- ❌ spring-boot-4.0.4.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable.
Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40976
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: org.springframework.boot:spring-boot-security:4.0.6,https://github.com/spring-projects/spring-boot.git - v4.0.6
Step up your Open Source Security Game with Mend here
CVE-2026-41901
Vulnerable Libraries - thymeleaf-spring6-3.1.3.RELEASE.jar, thymeleaf-3.1.3.RELEASE.jar
thymeleaf-spring6-3.1.3.RELEASE.jar
Library home page: http://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.3.RELEASE/4b276ea2bd536a18e44b40ff1d9f4848965ff59c/thymeleaf-spring6-3.1.3.RELEASE.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-4.0.4.jar (Root Library)
- spring-boot-thymeleaf-4.0.4.jar
- ❌ thymeleaf-spring6-3.1.3.RELEASE.jar (Vulnerable Library)
thymeleaf-3.1.3.RELEASE.jar
Library home page: http://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf/3.1.3.RELEASE/51474f2a90b282ee97dabcd159c7faf24790f373/thymeleaf-3.1.3.RELEASE.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-4.0.4.jar (Root Library)
- spring-boot-thymeleaf-4.0.4.jar
- thymeleaf-spring6-3.1.3.RELEASE.jar
- ❌ thymeleaf-3.1.3.RELEASE.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE.
Publish Date: 2026-05-12
URL: CVE-2026-41901
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-c9ph-gxww-7744
Release Date: 2026-05-05
Fix Resolution: org.thymeleaf:thymeleaf-spring6:3.1.5.RELEASE,org.thymeleaf:thymeleaf-spring5:3.1.5.RELEASE,org.thymeleaf:thymeleaf:3.1.5.RELEASE
Step up your Open Source Security Game with Mend here
CVE-2026-40478
Vulnerable Libraries - thymeleaf-3.1.3.RELEASE.jar, thymeleaf-spring6-3.1.3.RELEASE.jar
thymeleaf-3.1.3.RELEASE.jar
Library home page: http://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf/3.1.3.RELEASE/51474f2a90b282ee97dabcd159c7faf24790f373/thymeleaf-3.1.3.RELEASE.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-4.0.4.jar (Root Library)
- spring-boot-thymeleaf-4.0.4.jar
- thymeleaf-spring6-3.1.3.RELEASE.jar
- ❌ thymeleaf-3.1.3.RELEASE.jar (Vulnerable Library)
thymeleaf-spring6-3.1.3.RELEASE.jar
Library home page: http://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.3.RELEASE/4b276ea2bd536a18e44b40ff1d9f4848965ff59c/thymeleaf-spring6-3.1.3.RELEASE.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-4.0.4.jar (Root Library)
- spring-boot-thymeleaf-4.0.4.jar
- ❌ thymeleaf-spring6-3.1.3.RELEASE.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Publish Date: 2026-04-17
URL: CVE-2026-40478
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xjw8-8c5c-9r79
Release Date: 2026-04-17
Fix Resolution (org.thymeleaf:thymeleaf): 3.1.4.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.6
Fix Resolution (org.thymeleaf:thymeleaf-spring6): 3.1.4.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.5
Step up your Open Source Security Game with Mend here
CVE-2026-40477
Vulnerable Libraries - thymeleaf-3.1.3.RELEASE.jar, thymeleaf-spring6-3.1.3.RELEASE.jar
thymeleaf-3.1.3.RELEASE.jar
Library home page: http://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf/3.1.3.RELEASE/51474f2a90b282ee97dabcd159c7faf24790f373/thymeleaf-3.1.3.RELEASE.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-4.0.4.jar (Root Library)
- spring-boot-thymeleaf-4.0.4.jar
- thymeleaf-spring6-3.1.3.RELEASE.jar
- ❌ thymeleaf-3.1.3.RELEASE.jar (Vulnerable Library)
thymeleaf-spring6-3.1.3.RELEASE.jar
Library home page: http://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.3.RELEASE/4b276ea2bd536a18e44b40ff1d9f4848965ff59c/thymeleaf-spring6-3.1.3.RELEASE.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-4.0.4.jar (Root Library)
- spring-boot-thymeleaf-4.0.4.jar
- ❌ thymeleaf-spring6-3.1.3.RELEASE.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Publish Date: 2026-04-17
URL: CVE-2026-40477
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r4v4-5mwr-2fwr
Release Date: 2026-04-17
Fix Resolution (org.thymeleaf:thymeleaf): 3.1.4.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.6
Fix Resolution (org.thymeleaf:thymeleaf-spring6): 3.1.4.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.5
Step up your Open Source Security Game with Mend here
CVE-2026-40973
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-4.0.4.jar (Root Library)
- spring-boot-thymeleaf-4.0.4.jar
- ❌ spring-boot-4.0.4.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A local attacker on the same host as the application may be able to take control of the directory used by "ApplicationTemp". When "server.servlet.session.persistent" is set to "true" and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / "ApplicationTemp" ownership verification. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40973
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.6
Step up your Open Source Security Game with Mend here
CVE-2026-22740
Vulnerable Library - spring-web-7.0.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/7.0.6/2baeb353efd42374239cc45e8d02780d6c6e7a77/spring-web-7.0.6.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-4.0.4.jar (Root Library)
- spring-boot-thymeleaf-4.0.4.jar
- ❌ spring-web-7.0.6.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.
Older, unsupported versions are also affected.
Publish Date: 2026-04-29
URL: CVE-2026-22740
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-22740
Release Date: 2026-04-18
Fix Resolution (org.springframework:spring-web): 7.0.7
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.6
Step up your Open Source Security Game with Mend here
CVE-2026-40974
Vulnerable Library - spring-boot-autoconfigure-4.0.4.jar
Spring Boot AutoConfigure
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/4.0.4/e7d484851da96008f341cab0336ff7b923ba25ae/spring-boot-autoconfigure-4.0.4.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-4.0.4.jar (Root Library)
- spring-boot-starter-4.0.4.jar
- ❌ spring-boot-autoconfigure-4.0.4.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40974
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.6
Step up your Open Source Security Game with Mend here
CVE-2026-40971
Vulnerable Library - spring-boot-autoconfigure-4.0.4.jar
Spring Boot AutoConfigure
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/4.0.4/e7d484851da96008f341cab0336ff7b923ba25ae/spring-boot-autoconfigure-4.0.4.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-4.0.4.jar (Root Library)
- spring-boot-starter-4.0.4.jar
- ❌ spring-boot-autoconfigure-4.0.4.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14) per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40971
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-40971
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.6
Step up your Open Source Security Game with Mend here
CVE-2026-40975
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-4.0.4.jar (Root Library)
- spring-boot-thymeleaf-4.0.4.jar
- ❌ spring-boot-4.0.4.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40975
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.6
Step up your Open Source Security Game with Mend here
CVE-2026-40977
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-4.0.4.jar (Root Library)
- spring-boot-thymeleaf-4.0.4.jar
- ❌ spring-boot-4.0.4.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
When an application is configured to use "ApplicationPidFileWriter", a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); PID file / symlink behavior ("ApplicationPidFileWriter"). Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40977
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.6
Step up your Open Source Security Game with Mend here
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/7.0.6/2baeb353efd42374239cc45e8d02780d6c6e7a77/spring-web-7.0.6.jar
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable.
Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40976
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: org.springframework.boot:spring-boot-security:4.0.6,https://github.com/spring-projects/spring-boot.git - v4.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - thymeleaf-spring6-3.1.3.RELEASE.jar, thymeleaf-3.1.3.RELEASE.jar
thymeleaf-spring6-3.1.3.RELEASE.jar
Library home page: http://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.3.RELEASE/4b276ea2bd536a18e44b40ff1d9f4848965ff59c/thymeleaf-spring6-3.1.3.RELEASE.jar
Dependency Hierarchy:
thymeleaf-3.1.3.RELEASE.jar
Library home page: http://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf/3.1.3.RELEASE/51474f2a90b282ee97dabcd159c7faf24790f373/thymeleaf-3.1.3.RELEASE.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE.
Publish Date: 2026-05-12
URL: CVE-2026-41901
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-c9ph-gxww-7744
Release Date: 2026-05-05
Fix Resolution: org.thymeleaf:thymeleaf-spring6:3.1.5.RELEASE,org.thymeleaf:thymeleaf-spring5:3.1.5.RELEASE,org.thymeleaf:thymeleaf:3.1.5.RELEASE
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - thymeleaf-3.1.3.RELEASE.jar, thymeleaf-spring6-3.1.3.RELEASE.jar
thymeleaf-3.1.3.RELEASE.jar
Library home page: http://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf/3.1.3.RELEASE/51474f2a90b282ee97dabcd159c7faf24790f373/thymeleaf-3.1.3.RELEASE.jar
Dependency Hierarchy:
thymeleaf-spring6-3.1.3.RELEASE.jar
Library home page: http://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.3.RELEASE/4b276ea2bd536a18e44b40ff1d9f4848965ff59c/thymeleaf-spring6-3.1.3.RELEASE.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Publish Date: 2026-04-17
URL: CVE-2026-40478
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xjw8-8c5c-9r79
Release Date: 2026-04-17
Fix Resolution (org.thymeleaf:thymeleaf): 3.1.4.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.6
Fix Resolution (org.thymeleaf:thymeleaf-spring6): 3.1.4.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.5
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - thymeleaf-3.1.3.RELEASE.jar, thymeleaf-spring6-3.1.3.RELEASE.jar
thymeleaf-3.1.3.RELEASE.jar
Library home page: http://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf/3.1.3.RELEASE/51474f2a90b282ee97dabcd159c7faf24790f373/thymeleaf-3.1.3.RELEASE.jar
Dependency Hierarchy:
thymeleaf-spring6-3.1.3.RELEASE.jar
Library home page: http://www.thymeleaf.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf-spring6/3.1.3.RELEASE/4b276ea2bd536a18e44b40ff1d9f4848965ff59c/thymeleaf-spring6-3.1.3.RELEASE.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.
Publish Date: 2026-04-17
URL: CVE-2026-40477
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-r4v4-5mwr-2fwr
Release Date: 2026-04-17
Fix Resolution (org.thymeleaf:thymeleaf): 3.1.4.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.6
Fix Resolution (org.thymeleaf:thymeleaf-spring6): 3.1.4.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A local attacker on the same host as the application may be able to take control of the directory used by "ApplicationTemp". When "server.servlet.session.persistent" is set to "true" and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / "ApplicationTemp" ownership verification. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40973
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-web-7.0.6.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/7.0.6/2baeb353efd42374239cc45e8d02780d6c6e7a77/spring-web-7.0.6.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.
Older, unsupported versions are also affected.
Publish Date: 2026-04-29
URL: CVE-2026-22740
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-22740
Release Date: 2026-04-18
Fix Resolution (org.springframework:spring-web): 7.0.7
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-boot-autoconfigure-4.0.4.jar
Spring Boot AutoConfigure
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/4.0.4/e7d484851da96008f341cab0336ff7b923ba25ae/spring-boot-autoconfigure-4.0.4.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40974
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-boot-autoconfigure-4.0.4.jar
Spring Boot AutoConfigure
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/4.0.4/e7d484851da96008f341cab0336ff7b923ba25ae/spring-boot-autoconfigure-4.0.4.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14) per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40971
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-40971
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40975
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
When an application is configured to use "ApplicationPidFileWriter", a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); PID file / symlink behavior ("ApplicationPidFileWriter"). Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40977
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 4.0.6
Step up your Open Source Security Game with Mend here