CVE-2026-40478 | thymeleaf/thymeleaf-spring5/thymeleaf-spring6 up to 3.1.3 expression language injection (GHSA-xjw8-8c5c-9r79)

A vulnerability labeled as problematic has been found in thymeleaf, thymeleaf-spring5 and thymeleaf-spring6 up to 3.1.3. This impacts an unknown function. The manipulation results in improper neutralization of special elements used in an expression language statement.

This vulnerability was named CVE-2026-40478. The attack may be performed from remote. There is no available exploit.

The affected component should be upgraded.VulDB Recent EntriesRead More