Critical Template Injection Vulnerability CVE-2026-40478 Discovered in Thymeleaf

A conditional template injection vulnerability in Thymeleaf, tracked as CVE-2026-40478, has been assigned a CVSS score of 9.1, indicating critical severity. Exploitation requires dynamic view or template expression misuse as a precondition, limiting its impact to misconfigured implementations. The flaw necessitates immediate patching to Thymeleaf version 3.1.4 or later, along with a code audit to identify vulnerable expressions. No specific attack vectors, affected systems, or exploitation instances were detailed beyond the dependency on improper template handling. The advisory emphasizes the vulnerability's conditional nature but does not provide disclosure or patch release dates.