Sonar-security-java-frontend-plugin-10.11.1.35426.jar vulnerable to CVE-2026-40478

AZIZ_MORBIWALA · May 6, 2026, 2:02pm

The library org.thymeleaf:thymeleaf version 3.1.3 was detected in Maven library manager located at /[Partition=996039c6]/data/web/deploy/plugins/securityjavafrontend/sonar-security-java-frontend-plugin-10.11.1.35426.jar -> META-INF/lib/thymeleaf-3.1.3.RELEASE.jar
is vulnerable to CVE-2026-40478.

Wiz.io had detected this, and our current setup is pointing towards 2025.1.4 Sonar with postgres 17.9.

We are trying to upgrade to sonar 2026.2.1 in order to fix the issue but i do see the jar in this version still hosts thymeleaf version 3.1.3

Can you please confirm if the upgrade will sort this issue or do we need to wait for a patch from sonarqube community? if yes then,

Is there any hot patch available for this we can apply on our pod hosting this service in the meantime?

ganncamp · May 6, 2026, 2:59pm

Hi,

I’ve unlisted your topic since you’re reporting a vulnerability. Our responsible disclosure policy asks that you email security@sonarsource.com rather than making public posts. Could you please re-send this to security@sonarsource.com?

Thx,
Ann

Topic		Replies	Views
Trivy scan of latest SonarQube Developer editions reports critical vulnerability in CVE-2021-43466 SonarQube Server / Community Build sonarqube	4	1176	December 9, 2021
CVE-2021-45105 vulnerability fix SonarQube Server / Community Build security	1	1389	December 20, 2021
Depencencies' vulnerabilities on Sonarqube Community 10.0.0 SonarQube Server / Community Build	5	439	June 8, 2023
CVE-2022-42889 effect on SonarQube SonarQube Server / Community Build security , cve , me-too	27	7061	November 25, 2022
SonarQube, SonarCloud, and Spring4Shell Sonar Updates	11	4156	June 23, 2022

Sonar-security-java-frontend-plugin-10.11.1.35426.jar vulnerable to CVE-2026-40478

Related topics