THREATOPS
THREAT OPSThreat News › Don't Panic: The Thymeleaf Template Injection That Only Hurts If You Let It (CVE-2026-40478)

Don't Panic: The Thymeleaf Template Injection That Only Hurts If You Let It (CVE-2026-40478)

lowsnykPublished 2026-04-29

CVE-2026-40478: The Thymeleaf template injection (CVSS 9.1) is conditional. Patch to 3.1.4+ immediately, and audit your code for dynamic view or template expression misuse, which is the key precondition for exploitability.

MITRE ATT&CK techniques

Indicators of compromise

Original source: https://snyk.io/blog/thymeleaf-injection/