THREAT OPS › Threat News › Don't Panic: The Thymeleaf Template Injection That Only Hurts If You Let It (CVE-2026-40478)
Don't Panic: The Thymeleaf Template Injection That Only Hurts If You Let It (CVE-2026-40478)
CVE-2026-40478: The Thymeleaf template injection (CVSS 9.1) is conditional. Patch to 3.1.4+ immediately, and audit your code for dynamic view or template expression misuse, which is the key precondition for exploitability.
MITRE ATT&CK techniques
- Template InjectionT1221
Indicators of compromise
- CVE-2026-40478cve
Original source: https://snyk.io/blog/thymeleaf-injection/