## Critical CVE-2026-40478 Exposes Thymeleaf 3.1.2 Libraries in HAPI FHIR Server
A critical-severity vulnerability, CVE-2026-40478, has been detected in multiple versions of the widely-used Thymeleaf templating engine, specifically within the `thymeleaf-spring6-3.1.2.RELEASE.jar` and `thymeleaf-3.1.2.RELEASE.jar` libraries. This flaw represents a significant security exposure for any application embedding these components, with the immediate context revealing its presence deep within the HAPI FHIR open-source healthcare interoperability server project.

The vulnerability is not isolated to a single module. Scans show the affected libraries are integrated across at least a dozen critical sub-projects within the HAPI FHIR ecosystem, including its core JPA server (`hapi-fhir-jpaserver-base`), CLI tools, subscription modules, and MDM (Master Data Management) components. The path to the dependency file is consistently the project's `pom.xml`, indicating the vulnerability is baked into the build configuration of these healthcare data services. The Thymeleaf library, a standard for server-side Java HTML generation, is now a potential attack vector.

The integration into a healthcare data standard server like HAPI FHIR escalates the risk profile considerably. While the exact nature of CVE-2026-40478 is not detailed here, its 'Critical' designation implies a high likelihood of exploitation for remote code execution, data breaches, or server compromise. Organizations and developers using these specific Thymeleaf versions, especially within healthcare IT stacks built on HAPI FHIR, are under immediate pressure to audit their dependencies, identify all instances of the vulnerable JAR files, and apply patches or upgrades as soon as they become available from the Thymeleaf project.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE, Vulnerability, Java, Healthcare IT, Open Source Security
- **Credibility**: unverified
- **Published**: 2026-04-20 16:53:08
- **ID**: 72768
- **URL**: https://whisperx.ai/en/intel/72768