This is a maintenance version for the old 2.1.x branch, and should work as a drop-in replacement for 2.1.x versions.
Also, note that this version is focused on a couple of security-related improvements, so upgrading is heavily recommended.
Remember however that Thymeleaf 3.0 is the currently recommended major version.
Improve restricted expression evaluation mode to restrict access to some request features (#request.getParameter(), #request.getParameterValues(), #request.getParameterMap(), #request.getQueryString()).
Add new scenarios for restricted expression evaluation: th:on*, th:attr, th:src, th:href, th:include, th:replace, th:substituteby, link expressions (only for URL bases).
Explaining the changes in the restricted expression evaluation mode
Thanks to the fact that Thymeleaf actually understands the HTML that it processes (because it parses it), developers can benefit from the template engine helping them reduce the risks of code injection as much as possible. Thymeleaf does this by preventing the use of direct input from users in certain parts of the template. This direct input from users refers to request parameters, as these might not have passed a validation process at the controller.
For more detail, have a look at the list of issues at GitHub for version 2.1.6.