## Spring Boot Thymeleaf Starter 2.7.1 Harbors Critical RCE Flaws With Reachable Exploit Path
A WhiteSource security scan has flagged the spring-boot-starter-thymeleaf library at version 2.7.1 as containing five distinct vulnerabilities, with the highest carrying a CVSS score of 9.0—placing it firmly in critical territory. The scan, triggered on a Maven project dependency file, identified the vulnerable artifact at /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot-starter-thymeleaf/2.7.1/, and classified the most severe flaw as reachable, meaning an attacker with access to the application attack surface could potentially exploit it without needing to chain additional vulnerabilities.

The critical vulnerability is tracked under CVE-2026-40477 and resides in the transitive dependency thymeleaf-3.0.15.RELEASE.jar. Unlike fully-contained defects, transitive dependencies often escape notice because they enter the project tree indirectly through other libraries. The scan data shows no available patch or remediation for this specific issue, and the exploit maturity remains undefined, leaving security teams without clear guidance on whether active exploitation is occurring in the wild.

The presence of a reachable, unpatched critical flaw in a widely deployed Spring Boot templating dependency raises immediate concerns for organizations running Thymeleaf-based MVC applications. Development teams using this library should prioritize identifying whether their specific configurations expose the vulnerable attack surface and consider temporary compensating controls—such as restricting template rendering input or upgrading to a patched release once available—while monitoring for emerging threat intelligence on CVE-2026-40477.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-40477, RCE, Spring Boot, Thymeleaf, transitive dependency
- **Credibility**: unverified
- **Published**: 2026-04-24 20:54:09
- **ID**: 76957
- **URL**: https://whisperx.ai/en/intel/76957