TopBraid EDG Vulnerability Report

Generated 2026-05-29T15:03:35Z

9.2.1 (released 2026-05-22) — previous: 9.2.0

Not affected (2)

Component present in the product, but not exploitable.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Justification
high	CVE-2025-68280	SNYK-JAVA-ORGAPACHESISCORE-14874786	org.apache.sis.core:sis-metadata	1.4	XML External Entity (XXE) Injection	2026-01-05		vulnerable_code_not_in_execute_path
low	CVE-2020-29582	SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744	org.jetbrains.kotlin:kotlin-stdlib	1.8.21	Information Exposure	2022-02-03		vulnerable_code_not_in_execute_path

9.2.0 (released 2026-05-07) — previous: 9.1.6

Not affected (5)

Component present in the product, but not exploitable.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Justification
high	CVE-2025-68280	SNYK-JAVA-ORGAPACHESISCORE-14874786	org.apache.sis.core:sis-metadata	1.4	XML External Entity (XXE) Injection	2026-01-05		vulnerable_code_not_in_execute_path
medium	CVE-2026-8723	SNYK-JS-QS-16721866	qs	6.15.1	NULL Pointer Dereference	2026-05-17	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-43869	SNYK-JAVA-ORGAPACHETHRIFT-16432027	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-05-05	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-41603	SNYK-JAVA-ORGAPACHETHRIFT-16323114	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-04-28	9.2.1	vulnerable_code_not_in_execute_path
low	CVE-2020-29582	SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744	org.jetbrains.kotlin:kotlin-stdlib	1.8.21	Information Exposure	2022-02-03		vulnerable_code_not_in_execute_path

Fixed (6)

Previous release was affected, but this one is not.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed
high	CVE-2026-40895	SNYK-JS-FOLLOWREDIRECTS-16032162	follow-redirects	1.15.11	Improper Removal of Sensitive Information Before Storage or Transfer	2026-04-14
high	CVE-2026-40175	SNYK-JS-AXIOS-15969258	axios	1.13.6	HTTP Response Splitting	2026-04-10
medium	CVE-2026-47761	SNYK-JS-TINYMCE-17056137	tinymce	7.5.1	Cross-site Scripting (XSS)	2026-05-28
medium	CVE-2026-47762	SNYK-JS-TINYMCE-17056141	tinymce	7.5.1	Cross-site Scripting (XSS)	2026-05-28
medium	CVE-2026-47759	SNYK-JS-TINYMCE-17056166	tinymce	7.5.1	Cross-site Scripting (XSS)	2026-05-28
medium	CVE-2025-6493	SNYK-JS-CODEMIRROR-10494092	codemirror	5.65.18	Regular Expression Denial of Service (ReDoS)	2025-06-22

9.1.6 (released 2026-05-29) — previous: 9.1.5

Affected (3)

The product is exposed and action should be taken.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Action statement
high	CVE-2026-40895	SNYK-JS-FOLLOWREDIRECTS-16032162	follow-redirects	1.15.11	Improper Removal of Sensitive Information Before Storage or Transfer	2026-04-14	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-40175	SNYK-JS-AXIOS-15969258	axios	1.13.6	HTTP Response Splitting	2026-04-10	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
medium	CVE-2025-6493	SNYK-JS-CODEMIRROR-10494092	codemirror	5.65.18	Regular Expression Denial of Service (ReDoS)	2025-06-22	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.

Unassessed (3)

No detailed assessment performed since remediation is available.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in
medium	CVE-2026-47761	SNYK-JS-TINYMCE-17056137	tinymce	7.5.1	Cross-site Scripting (XSS)	2026-05-28	9.2.0
medium	CVE-2026-47762	SNYK-JS-TINYMCE-17056141	tinymce	7.5.1	Cross-site Scripting (XSS)	2026-05-28	9.2.0
medium	CVE-2026-47759	SNYK-JS-TINYMCE-17056166	tinymce	7.5.1	Cross-site Scripting (XSS)	2026-05-28	9.2.0

Not affected (45)

Component present in the product, but not exploitable.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Justification
critical	CVE-2026-42264	SNYK-JS-AXIOS-16417750	axios	1.13.6	Prototype Pollution	2026-05-05	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42035	SNYK-JS-AXIOS-16298058	axios	1.13.6	HTTP Response Splitting	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42033	SNYK-JS-AXIOS-16299904	axios	1.13.6	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-5588	SNYK-JAVA-ORGBOUNCYCASTLE-16075260	org.bouncycastle:bcpkix-jdk18on	1.81.1	Improper Verification of Cryptographic Signature	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
critical	(none)	SNYK-JS-JQUERYFORM-574783	jquery-form	3.50.0	Cross-site Scripting (XSS)	2015-04-10	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42583	SNYK-JAVA-IONETTY-16438323	io.netty:netty-codec-compression	4.2.12.Final	Allocation of Resources Without Limits or Throttling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42585	SNYK-JAVA-IONETTY-16438737	io.netty:netty-codec-http	4.2.12.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42584	SNYK-JAVA-IONETTY-16438923	io.netty:netty-codec-http	4.2.12.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438929	io.netty:netty-codec-http2	4.2.12.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438931	io.netty:netty-codec-compression	4.2.12.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42581	SNYK-JAVA-IONETTY-16438934	io.netty:netty-codec-http	4.2.12.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42577	SNYK-JAVA-IONETTY-16438936	io.netty:netty-transport-classes-epoll	4.2.12.Final	Missing Release of Resource after Effective Lifetime	2026-05-06	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42027	SNYK-JAVA-ORGAPACHEOPENNLP-16419373	org.apache.opennlp:opennlp-tools	2.5.7	Unsafe Reflection	2026-05-04	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-40682	SNYK-JAVA-ORGAPACHEOPENNLP-16419377	org.apache.opennlp:opennlp-tools	2.5.7	XML External Entity (XXE) Injection	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42440	SNYK-JAVA-ORGAPACHEOPENNLP-16535521	org.apache.opennlp:opennlp-tools	2.5.7	Memory Allocation with Excessive Size Value	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42044	SNYK-JS-AXIOS-16299921	axios	1.13.6	Improperly Controlled Modification of Dynamically-Determined Object Attributes	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42039	SNYK-JS-AXIOS-16299923	axios	1.13.6	Uncontrolled Recursion	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-5598	SNYK-JAVA-ORGBOUNCYCASTLE-16074612	org.bouncycastle:bcprov-jdk18on	1.81	Timing Attack	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2025-14813	SNYK-JAVA-ORGBOUNCYCASTLE-16075266	org.bouncycastle:bcprov-jdk18on	1.81	Use of a Broken or Risky Cryptographic Algorithm	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2025-68280	SNYK-JAVA-ORGAPACHESISCORE-14874786	org.apache.sis.core:sis-metadata	1.4	XML External Entity (XXE) Injection	2026-01-05		vulnerable_code_not_in_execute_path
high	CVE-2021-23370	SNYK-JS-SWIPER-1088062	swiper	3.4.1	Prototype Pollution	2021-03-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42580	SNYK-JAVA-IONETTY-16438926	io.netty:netty-codec-http	4.2.12.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41417	SNYK-JAVA-IONETTY-16425695	io.netty:netty-codec-http	4.2.12.Final	HTTP Request Smuggling	2026-05-05	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-43869	SNYK-JAVA-ORGAPACHETHRIFT-16432027	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-05-05	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-41603	SNYK-JAVA-ORGAPACHETHRIFT-16323114	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-04-28	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-42040	SNYK-JS-AXIOS-16298055	axios	1.13.6	Improper Encoding or Escaping of Output	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42038	SNYK-JS-AXIOS-16298095	axios	1.13.6	Server-side Request Forgery (SSRF)	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42034	SNYK-JS-AXIOS-16298130	axios	1.13.6	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42036	SNYK-JS-AXIOS-16298162	axios	1.13.6	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42042	SNYK-JS-AXIOS-16299478	axios	1.13.6	Insertion of Sensitive Information Into Sent Data	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42037	SNYK-JS-AXIOS-16299819	axios	1.13.6	CRLF Injection	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42041	SNYK-JS-AXIOS-16299925	axios	1.13.6	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-40542	SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCLIENT5-16134546	org.apache.httpcomponents.client5:httpclient5	5.6	Missing Critical Step in Authentication	2026-04-23	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22746	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121176	org.springframework.security:spring-security-core	6.5.9	Information Exposure	2026-04-22	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22748	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121448	org.springframework.security:spring-security-oauth2-jose	6.5.9	Insufficient Verification of Data Authenticity	2026-04-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22751	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16120313	org.springframework.security:spring-security-core	6.5.9	Time-of-check Time-of-use (TOCTOU) Race Condition	2026-04-21	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41238	SNYK-JS-DOMPURIFY-16132234	dompurify	3.3.3	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41240	SNYK-JS-DOMPURIFY-16078387	dompurify	3.3.3	Operator Precedence Logic Error	2026-04-16	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-0636	SNYK-JAVA-ORGBOUNCYCASTLE-16075254	org.bouncycastle:bcprov-jdk18on	1.81	LDAP Injection	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-62718	SNYK-JS-AXIOS-15965856	axios	1.13.6	Unintended Proxy or Intermediary ('Confused Deputy')	2026-04-09	9.2.0	component_not_present
medium	CVE-2026-33532	SNYK-JS-YAML-15765520	yaml	1.10.2	Uncontrolled Recursion	2026-03-25	9.2.0	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-D3COLOR-1076592	d3-color	1.4.1	Regular Expression Denial of Service (ReDoS)	2021-02-18	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2026-41239	SNYK-JS-DOMPURIFY-16131135	dompurify	3.3.3	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2018-25050	SNYK-JS-CHOSENJS-3184933	chosen-js	1.6.2	Cross-site Scripting (XSS)	2022-12-29	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
low	CVE-2020-29582	SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744	org.jetbrains.kotlin:kotlin-stdlib	1.8.21	Information Exposure	2022-02-03		vulnerable_code_not_in_execute_path

Fixed (1)

Previous release was affected, but this one is not.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed
medium	CVE-2026-2327	SNYK-JS-MARKDOWNIT-10666750	markdown-it	14.1.0	Regular Expression Denial of Service (ReDoS)	2025-07-05

9.1.5 (released 2026-05-07) — previous: 9.1.4

Affected (4)

The product is exposed and action should be taken.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Action statement
high	CVE-2026-40895	SNYK-JS-FOLLOWREDIRECTS-16032162	follow-redirects	1.15.11	Improper Removal of Sensitive Information Before Storage or Transfer	2026-04-14	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-40175	SNYK-JS-AXIOS-15969258	axios	1.13.6	HTTP Response Splitting	2026-04-10	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
medium	CVE-2026-2327	SNYK-JS-MARKDOWNIT-10666750	markdown-it	14.1.0	Regular Expression Denial of Service (ReDoS)	2025-07-05	9.1.6	Upgrade to TopBraid EDG 9.1.6 or later.
medium	CVE-2025-6493	SNYK-JS-CODEMIRROR-10494092	codemirror	5.65.18	Regular Expression Denial of Service (ReDoS)	2025-06-22	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.

Not affected (45)

Component present in the product, but not exploitable.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Justification
critical	CVE-2026-42264	SNYK-JS-AXIOS-16417750	axios	1.13.6	Prototype Pollution	2026-05-05	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42035	SNYK-JS-AXIOS-16298058	axios	1.13.6	HTTP Response Splitting	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42033	SNYK-JS-AXIOS-16299904	axios	1.13.6	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-5588	SNYK-JAVA-ORGBOUNCYCASTLE-16075260	org.bouncycastle:bcpkix-jdk18on	1.81.1	Improper Verification of Cryptographic Signature	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
critical	(none)	SNYK-JS-JQUERYFORM-574783	jquery-form	3.50.0	Cross-site Scripting (XSS)	2015-04-10	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42583	SNYK-JAVA-IONETTY-16438323	io.netty:netty-codec-compression	4.2.12.Final	Allocation of Resources Without Limits or Throttling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42585	SNYK-JAVA-IONETTY-16438737	io.netty:netty-codec-http	4.2.12.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42584	SNYK-JAVA-IONETTY-16438923	io.netty:netty-codec-http	4.2.12.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438929	io.netty:netty-codec-http2	4.2.12.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438931	io.netty:netty-codec-compression	4.2.12.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42581	SNYK-JAVA-IONETTY-16438934	io.netty:netty-codec-http	4.2.12.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42577	SNYK-JAVA-IONETTY-16438936	io.netty:netty-transport-classes-epoll	4.2.12.Final	Missing Release of Resource after Effective Lifetime	2026-05-06	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42027	SNYK-JAVA-ORGAPACHEOPENNLP-16419373	org.apache.opennlp:opennlp-tools	2.5.7	Unsafe Reflection	2026-05-04	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-40682	SNYK-JAVA-ORGAPACHEOPENNLP-16419377	org.apache.opennlp:opennlp-tools	2.5.7	XML External Entity (XXE) Injection	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42440	SNYK-JAVA-ORGAPACHEOPENNLP-16535521	org.apache.opennlp:opennlp-tools	2.5.7	Memory Allocation with Excessive Size Value	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42044	SNYK-JS-AXIOS-16299921	axios	1.13.6	Improperly Controlled Modification of Dynamically-Determined Object Attributes	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42039	SNYK-JS-AXIOS-16299923	axios	1.13.6	Uncontrolled Recursion	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-5598	SNYK-JAVA-ORGBOUNCYCASTLE-16074612	org.bouncycastle:bcprov-jdk18on	1.81	Timing Attack	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2025-14813	SNYK-JAVA-ORGBOUNCYCASTLE-16075266	org.bouncycastle:bcprov-jdk18on	1.81	Use of a Broken or Risky Cryptographic Algorithm	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2025-68280	SNYK-JAVA-ORGAPACHESISCORE-14874786	org.apache.sis.core:sis-metadata	1.4	XML External Entity (XXE) Injection	2026-01-05		vulnerable_code_not_in_execute_path
high	CVE-2021-23370	SNYK-JS-SWIPER-1088062	swiper	3.4.1	Prototype Pollution	2021-03-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42580	SNYK-JAVA-IONETTY-16438926	io.netty:netty-codec-http	4.2.12.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41417	SNYK-JAVA-IONETTY-16425695	io.netty:netty-codec-http	4.2.12.Final	HTTP Request Smuggling	2026-05-05	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-43869	SNYK-JAVA-ORGAPACHETHRIFT-16432027	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-05-05	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-41603	SNYK-JAVA-ORGAPACHETHRIFT-16323114	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-04-28	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-42040	SNYK-JS-AXIOS-16298055	axios	1.13.6	Improper Encoding or Escaping of Output	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42038	SNYK-JS-AXIOS-16298095	axios	1.13.6	Server-side Request Forgery (SSRF)	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42034	SNYK-JS-AXIOS-16298130	axios	1.13.6	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42036	SNYK-JS-AXIOS-16298162	axios	1.13.6	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42042	SNYK-JS-AXIOS-16299478	axios	1.13.6	Insertion of Sensitive Information Into Sent Data	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42037	SNYK-JS-AXIOS-16299819	axios	1.13.6	CRLF Injection	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42041	SNYK-JS-AXIOS-16299925	axios	1.13.6	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-40542	SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCLIENT5-16134546	org.apache.httpcomponents.client5:httpclient5	5.6	Missing Critical Step in Authentication	2026-04-23	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22746	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121176	org.springframework.security:spring-security-core	6.5.9	Information Exposure	2026-04-22	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22748	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121448	org.springframework.security:spring-security-oauth2-jose	6.5.9	Insufficient Verification of Data Authenticity	2026-04-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22751	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16120313	org.springframework.security:spring-security-core	6.5.9	Time-of-check Time-of-use (TOCTOU) Race Condition	2026-04-21	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41238	SNYK-JS-DOMPURIFY-16132234	dompurify	3.3.3	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41240	SNYK-JS-DOMPURIFY-16078387	dompurify	3.3.3	Operator Precedence Logic Error	2026-04-16	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-0636	SNYK-JAVA-ORGBOUNCYCASTLE-16075254	org.bouncycastle:bcprov-jdk18on	1.81	LDAP Injection	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-62718	SNYK-JS-AXIOS-15965856	axios	1.13.6	Unintended Proxy or Intermediary ('Confused Deputy')	2026-04-09	9.2.0	component_not_present
medium	CVE-2026-33532	SNYK-JS-YAML-15765520	yaml	1.10.2	Uncontrolled Recursion	2026-03-25	9.2.0	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-D3COLOR-1076592	d3-color	1.4.1	Regular Expression Denial of Service (ReDoS)	2021-02-18	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2026-41239	SNYK-JS-DOMPURIFY-16131135	dompurify	3.3.3	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2018-25050	SNYK-JS-CHOSENJS-3184933	chosen-js	1.6.2	Cross-site Scripting (XSS)	2022-12-29	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
low	CVE-2020-29582	SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744	org.jetbrains.kotlin:kotlin-stdlib	1.8.21	Information Exposure	2022-02-03		vulnerable_code_not_in_execute_path

Fixed (4)

Previous release was affected, but this one is not.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed
high	CVE-2026-34478	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967739	org.apache.logging.log4j:log4j-core	2.25.3	Improper Output Neutralization for Logs	2026-04-10
high	CVE-2026-34480	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967769	org.apache.logging.log4j:log4j-core	2.25.3	Improper Encoding or Escaping of Output	2026-04-10
high	CVE-2026-34479	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967804	org.apache.logging.log4j:log4j-core	2.25.3	Improper Encoding or Escaping of Output	2026-04-10
medium	CVE-2026-34477	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967727	org.apache.logging.log4j:log4j-core	2.25.3	Improper Validation of Certificate with Host Mismatch	2026-04-10

9.1.4 (released 2026-04-09) — previous: 9.1.3

Affected (8)

The product is exposed and action should be taken.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Action statement
high	CVE-2026-40895	SNYK-JS-FOLLOWREDIRECTS-16032162	follow-redirects	1.15.11	Improper Removal of Sensitive Information Before Storage or Transfer	2026-04-14	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-34478	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967739	org.apache.logging.log4j:log4j-core	2.25.3	Improper Output Neutralization for Logs	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Rfc5424Layout with a stream-based syslog appender should reconfigure to avoid Rfc5424Layout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34480	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967769	org.apache.logging.log4j:log4j-core	2.25.3	Improper Encoding or Escaping of Output	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use XmlLayout should reconfigure to avoid XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34479	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967804	org.apache.logging.log4j:log4j-core	2.25.3	Improper Encoding or Escaping of Output	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Log4j1XmlLayout should reconfigure to avoid Log4j1XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-40175	SNYK-JS-AXIOS-15969258	axios	1.13.6	HTTP Response Splitting	2026-04-10	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
medium	CVE-2026-34477	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967727	org.apache.logging.log4j:log4j-core	2.25.3	Improper Validation of Certificate with Host Mismatch	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use SocketAppender, SmtpAppender, or SyslogAppender with TLS should reconfigure to avoid those appenders, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
medium	CVE-2026-2327	SNYK-JS-MARKDOWNIT-10666750	markdown-it	14.1.0	Regular Expression Denial of Service (ReDoS)	2025-07-05	9.1.6	Upgrade to TopBraid EDG 9.1.6 or later.
medium	CVE-2025-6493	SNYK-JS-CODEMIRROR-10494092	codemirror	5.65.18	Regular Expression Denial of Service (ReDoS)	2025-06-22	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.

Not affected (47)

Component present in the product, but not exploitable.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Justification
critical	CVE-2026-42264	SNYK-JS-AXIOS-16417750	axios	1.13.6	Prototype Pollution	2026-05-05	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42035	SNYK-JS-AXIOS-16298058	axios	1.13.6	HTTP Response Splitting	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42033	SNYK-JS-AXIOS-16299904	axios	1.13.6	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-5588	SNYK-JAVA-ORGBOUNCYCASTLE-16075260	org.bouncycastle:bcpkix-jdk18on	1.81.1	Improper Verification of Cryptographic Signature	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
critical	(none)	SNYK-JS-JQUERYFORM-574783	jquery-form	3.50.0	Cross-site Scripting (XSS)	2015-04-10	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42583	SNYK-JAVA-IONETTY-16438323	io.netty:netty-codec-compression	4.2.12.Final	Allocation of Resources Without Limits or Throttling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42585	SNYK-JAVA-IONETTY-16438737	io.netty:netty-codec-http	4.2.12.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42584	SNYK-JAVA-IONETTY-16438923	io.netty:netty-codec-http	4.2.12.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438929	io.netty:netty-codec-http2	4.2.12.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438931	io.netty:netty-codec-compression	4.2.12.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42581	SNYK-JAVA-IONETTY-16438934	io.netty:netty-codec-http	4.2.12.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42577	SNYK-JAVA-IONETTY-16438936	io.netty:netty-transport-classes-epoll	4.2.12.Final	Missing Release of Resource after Effective Lifetime	2026-05-06	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42027	SNYK-JAVA-ORGAPACHEOPENNLP-16419373	org.apache.opennlp:opennlp-tools	2.5.7	Unsafe Reflection	2026-05-04	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-40682	SNYK-JAVA-ORGAPACHEOPENNLP-16419377	org.apache.opennlp:opennlp-tools	2.5.7	XML External Entity (XXE) Injection	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42440	SNYK-JAVA-ORGAPACHEOPENNLP-16535521	org.apache.opennlp:opennlp-tools	2.5.7	Memory Allocation with Excessive Size Value	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42044	SNYK-JS-AXIOS-16299921	axios	1.13.6	Improperly Controlled Modification of Dynamically-Determined Object Attributes	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42039	SNYK-JS-AXIOS-16299923	axios	1.13.6	Uncontrolled Recursion	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-22740	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109615	org.springframework:spring-web	6.2.17	Incomplete Cleanup	2026-04-17	9.1.5	vulnerable_code_not_in_execute_path
high	CVE-2026-5598	SNYK-JAVA-ORGBOUNCYCASTLE-16074612	org.bouncycastle:bcprov-jdk18on	1.81	Timing Attack	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2025-14813	SNYK-JAVA-ORGBOUNCYCASTLE-16075266	org.bouncycastle:bcprov-jdk18on	1.81	Use of a Broken or Risky Cryptographic Algorithm	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2025-68280	SNYK-JAVA-ORGAPACHESISCORE-14874786	org.apache.sis.core:sis-metadata	1.4	XML External Entity (XXE) Injection	2026-01-05		vulnerable_code_not_in_execute_path
high	CVE-2021-23370	SNYK-JS-SWIPER-1088062	swiper	3.4.1	Prototype Pollution	2021-03-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42580	SNYK-JAVA-IONETTY-16438926	io.netty:netty-codec-http	4.2.12.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41417	SNYK-JAVA-IONETTY-16425695	io.netty:netty-codec-http	4.2.12.Final	HTTP Request Smuggling	2026-05-05	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-43869	SNYK-JAVA-ORGAPACHETHRIFT-16432027	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-05-05	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-41603	SNYK-JAVA-ORGAPACHETHRIFT-16323114	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-04-28	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-42040	SNYK-JS-AXIOS-16298055	axios	1.13.6	Improper Encoding or Escaping of Output	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42038	SNYK-JS-AXIOS-16298095	axios	1.13.6	Server-side Request Forgery (SSRF)	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42034	SNYK-JS-AXIOS-16298130	axios	1.13.6	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42036	SNYK-JS-AXIOS-16298162	axios	1.13.6	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42042	SNYK-JS-AXIOS-16299478	axios	1.13.6	Insertion of Sensitive Information Into Sent Data	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42037	SNYK-JS-AXIOS-16299819	axios	1.13.6	CRLF Injection	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42041	SNYK-JS-AXIOS-16299925	axios	1.13.6	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-40542	SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCLIENT5-16134546	org.apache.httpcomponents.client5:httpclient5	5.6	Missing Critical Step in Authentication	2026-04-23	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22746	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121176	org.springframework.security:spring-security-core	6.5.9	Information Exposure	2026-04-22	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22748	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121448	org.springframework.security:spring-security-oauth2-jose	6.5.9	Insufficient Verification of Data Authenticity	2026-04-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22751	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16120313	org.springframework.security:spring-security-core	6.5.9	Time-of-check Time-of-use (TOCTOU) Race Condition	2026-04-21	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41238	SNYK-JS-DOMPURIFY-16132234	dompurify	3.3.3	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22745	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109618	org.springframework:spring-core	6.2.17	Allocation of Resources Without Limits or Throttling	2026-04-17	9.1.5	vulnerable_code_not_in_execute_path
medium	CVE-2026-41240	SNYK-JS-DOMPURIFY-16078387	dompurify	3.3.3	Operator Precedence Logic Error	2026-04-16	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-0636	SNYK-JAVA-ORGBOUNCYCASTLE-16075254	org.bouncycastle:bcprov-jdk18on	1.81	LDAP Injection	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-62718	SNYK-JS-AXIOS-15965856	axios	1.13.6	Unintended Proxy or Intermediary ('Confused Deputy')	2026-04-09	9.2.0	component_not_present
medium	CVE-2026-33532	SNYK-JS-YAML-15765520	yaml	1.10.2	Uncontrolled Recursion	2026-03-25	9.2.0	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-D3COLOR-1076592	d3-color	1.4.1	Regular Expression Denial of Service (ReDoS)	2021-02-18	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2026-41239	SNYK-JS-DOMPURIFY-16131135	dompurify	3.3.3	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2018-25050	SNYK-JS-CHOSENJS-3184933	chosen-js	1.6.2	Cross-site Scripting (XSS)	2022-12-29	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
low	CVE-2020-29582	SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744	org.jetbrains.kotlin:kotlin-stdlib	1.8.21	Information Exposure	2022-02-03		vulnerable_code_not_in_execute_path

Fixed (8)

Previous release was affected, but this one is not.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed
high	CVE-2026-4800	SNYK-JS-LODASH-15869625	lodash	4.17.23	Arbitrary Code Injection	2026-03-31
high	CVE-2026-4800	SNYK-JS-LODASHES-15869627	lodash-es	4.17.21	Arbitrary Code Injection	2026-03-31
high	CVE-2026-33870	SNYK-JAVA-IONETTY-15789756	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-03-26
high	CVE-2026-33871	SNYK-JAVA-IONETTY-15789758	io.netty:netty-codec-http2	4.2.9.Final	Allocation of Resources Without Limits or Throttling	2026-03-26
medium	CVE-2026-2950	SNYK-JS-LODASH-15869619	lodash	4.17.23	Prototype Pollution	2026-03-31
medium	CVE-2026-2950	SNYK-JS-LODASHES-15869621	lodash-es	4.17.21	Prototype Pollution	2026-03-31
medium	CVE-2025-13465	SNYK-JS-LODASHES-15053836	lodash-es	4.17.21	Prototype Pollution	2026-01-21
low	CVE-2026-22735	SNYK-JAVA-ORGSPRINGFRAMEWORK-15701755	org.springframework:spring-web	6.2.16	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	2026-03-19

9.1.3 (released 2026-03-23) — previous: 9.1.2

Affected (16)

The product is exposed and action should be taken.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Action statement
high	CVE-2026-40895	SNYK-JS-FOLLOWREDIRECTS-16032162	follow-redirects	1.15.11	Improper Removal of Sensitive Information Before Storage or Transfer	2026-04-14	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-34478	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967739	org.apache.logging.log4j:log4j-core	2.25.3	Improper Output Neutralization for Logs	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Rfc5424Layout with a stream-based syslog appender should reconfigure to avoid Rfc5424Layout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34480	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967769	org.apache.logging.log4j:log4j-core	2.25.3	Improper Encoding or Escaping of Output	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use XmlLayout should reconfigure to avoid XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34479	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967804	org.apache.logging.log4j:log4j-core	2.25.3	Improper Encoding or Escaping of Output	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Log4j1XmlLayout should reconfigure to avoid Log4j1XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-40175	SNYK-JS-AXIOS-15969258	axios	1.13.6	HTTP Response Splitting	2026-04-10	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-4800	SNYK-JS-LODASH-15869625	lodash	4.17.23	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-4800	SNYK-JS-LODASHES-15869627	lodash-es	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33870	SNYK-JAVA-IONETTY-15789756	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33871	SNYK-JAVA-IONETTY-15789758	io.netty:netty-codec-http2	4.2.9.Final	Allocation of Resources Without Limits or Throttling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-34477	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967727	org.apache.logging.log4j:log4j-core	2.25.3	Improper Validation of Certificate with Host Mismatch	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use SocketAppender, SmtpAppender, or SyslogAppender with TLS should reconfigure to avoid those appenders, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
medium	CVE-2026-2950	SNYK-JS-LODASH-15869619	lodash	4.17.23	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-2950	SNYK-JS-LODASHES-15869621	lodash-es	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2025-13465	SNYK-JS-LODASHES-15053836	lodash-es	4.17.21	Prototype Pollution	2026-01-21	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-2327	SNYK-JS-MARKDOWNIT-10666750	markdown-it	14.1.0	Regular Expression Denial of Service (ReDoS)	2025-07-05	9.1.6	Upgrade to TopBraid EDG 9.1.6 or later.
medium	CVE-2025-6493	SNYK-JS-CODEMIRROR-10494092	codemirror	5.65.18	Regular Expression Denial of Service (ReDoS)	2025-06-22	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
low	CVE-2026-22735	SNYK-JAVA-ORGSPRINGFRAMEWORK-15701755	org.springframework:spring-web	6.2.16	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	2026-03-19	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.

Not affected (47)

Component present in the product, but not exploitable.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Justification
critical	CVE-2026-42264	SNYK-JS-AXIOS-16417750	axios	1.13.6	Prototype Pollution	2026-05-05	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42035	SNYK-JS-AXIOS-16298058	axios	1.13.6	HTTP Response Splitting	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42033	SNYK-JS-AXIOS-16299904	axios	1.13.6	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-5588	SNYK-JAVA-ORGBOUNCYCASTLE-16075260	org.bouncycastle:bcpkix-jdk18on	1.81.1	Improper Verification of Cryptographic Signature	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
critical	(none)	SNYK-JS-JQUERYFORM-574783	jquery-form	3.50.0	Cross-site Scripting (XSS)	2015-04-10	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42583	SNYK-JAVA-IONETTY-16438323	io.netty:netty-codec-compression	4.2.9.Final	Allocation of Resources Without Limits or Throttling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42585	SNYK-JAVA-IONETTY-16438737	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42584	SNYK-JAVA-IONETTY-16438923	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438929	io.netty:netty-codec-http2	4.2.9.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438931	io.netty:netty-codec-compression	4.2.9.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42581	SNYK-JAVA-IONETTY-16438934	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42577	SNYK-JAVA-IONETTY-16438936	io.netty:netty-transport-classes-epoll	4.2.9.Final	Missing Release of Resource after Effective Lifetime	2026-05-06	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42027	SNYK-JAVA-ORGAPACHEOPENNLP-16419373	org.apache.opennlp:opennlp-tools	2.5.7	Unsafe Reflection	2026-05-04	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-40682	SNYK-JAVA-ORGAPACHEOPENNLP-16419377	org.apache.opennlp:opennlp-tools	2.5.7	XML External Entity (XXE) Injection	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42440	SNYK-JAVA-ORGAPACHEOPENNLP-16535521	org.apache.opennlp:opennlp-tools	2.5.7	Memory Allocation with Excessive Size Value	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42044	SNYK-JS-AXIOS-16299921	axios	1.13.6	Improperly Controlled Modification of Dynamically-Determined Object Attributes	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42039	SNYK-JS-AXIOS-16299923	axios	1.13.6	Uncontrolled Recursion	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-22740	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109615	org.springframework:spring-web	6.2.16	Incomplete Cleanup	2026-04-17	9.1.5	vulnerable_code_not_in_execute_path
high	CVE-2026-5598	SNYK-JAVA-ORGBOUNCYCASTLE-16074612	org.bouncycastle:bcprov-jdk18on	1.81	Timing Attack	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2025-14813	SNYK-JAVA-ORGBOUNCYCASTLE-16075266	org.bouncycastle:bcprov-jdk18on	1.81	Use of a Broken or Risky Cryptographic Algorithm	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2025-68280	SNYK-JAVA-ORGAPACHESISCORE-14874786	org.apache.sis.core:sis-metadata	1.4	XML External Entity (XXE) Injection	2026-01-05		vulnerable_code_not_in_execute_path
high	CVE-2021-23370	SNYK-JS-SWIPER-1088062	swiper	3.4.1	Prototype Pollution	2021-03-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42580	SNYK-JAVA-IONETTY-16438926	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41417	SNYK-JAVA-IONETTY-16425695	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-05	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-43869	SNYK-JAVA-ORGAPACHETHRIFT-16432027	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-05-05	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-41603	SNYK-JAVA-ORGAPACHETHRIFT-16323114	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-04-28	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-42040	SNYK-JS-AXIOS-16298055	axios	1.13.6	Improper Encoding or Escaping of Output	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42038	SNYK-JS-AXIOS-16298095	axios	1.13.6	Server-side Request Forgery (SSRF)	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42034	SNYK-JS-AXIOS-16298130	axios	1.13.6	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42036	SNYK-JS-AXIOS-16298162	axios	1.13.6	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42042	SNYK-JS-AXIOS-16299478	axios	1.13.6	Insertion of Sensitive Information Into Sent Data	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42037	SNYK-JS-AXIOS-16299819	axios	1.13.6	CRLF Injection	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42041	SNYK-JS-AXIOS-16299925	axios	1.13.6	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-40542	SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCLIENT5-16134546	org.apache.httpcomponents.client5:httpclient5	5.6	Missing Critical Step in Authentication	2026-04-23	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22746	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121176	org.springframework.security:spring-security-core	6.5.9	Information Exposure	2026-04-22	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22748	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121448	org.springframework.security:spring-security-oauth2-jose	6.5.9	Insufficient Verification of Data Authenticity	2026-04-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22751	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16120313	org.springframework.security:spring-security-core	6.5.9	Time-of-check Time-of-use (TOCTOU) Race Condition	2026-04-21	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41238	SNYK-JS-DOMPURIFY-16132234	dompurify	3.3.3	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22745	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109618	org.springframework:spring-core	6.2.16	Allocation of Resources Without Limits or Throttling	2026-04-17	9.1.5	vulnerable_code_not_in_execute_path
medium	CVE-2026-41240	SNYK-JS-DOMPURIFY-16078387	dompurify	3.3.3	Operator Precedence Logic Error	2026-04-16	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-0636	SNYK-JAVA-ORGBOUNCYCASTLE-16075254	org.bouncycastle:bcprov-jdk18on	1.81	LDAP Injection	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-62718	SNYK-JS-AXIOS-15965856	axios	1.13.6	Unintended Proxy or Intermediary ('Confused Deputy')	2026-04-09	9.2.0	component_not_present
medium	CVE-2026-33532	SNYK-JS-YAML-15765520	yaml	1.10.2	Uncontrolled Recursion	2026-03-25	9.2.0	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-D3COLOR-1076592	d3-color	1.4.1	Regular Expression Denial of Service (ReDoS)	2021-02-18	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2026-41239	SNYK-JS-DOMPURIFY-16131135	dompurify	3.3.3	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2018-25050	SNYK-JS-CHOSENJS-3184933	chosen-js	1.6.2	Cross-site Scripting (XSS)	2022-12-29	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
low	CVE-2020-29582	SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744	org.jetbrains.kotlin:kotlin-stdlib	1.8.21	Information Exposure	2022-02-03		vulnerable_code_not_in_execute_path

Fixed (3)

Previous release was affected, but this one is not.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed
critical	CVE-2026-22732	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-15701796	org.springframework.security:spring-security-web	6.5.6	Use of Cache Containing Sensitive Information	2026-03-20
high	CVE-2026-25639	SNYK-JS-AXIOS-15252993	axios	1.13.2	Prototype Pollution	2026-02-09
medium	CVE-2026-0540	SNYK-JS-DOMPURIFY-15371376	dompurify	3.3.0	Cross-site Scripting (XSS)	2026-03-03

9.1.2 (released 2026-02-20) — previous: 9.1.1

Affected (19)

The product is exposed and action should be taken.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Action statement
critical	CVE-2026-22732	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-15701796	org.springframework.security:spring-security-web	6.5.6	Use of Cache Containing Sensitive Information	2026-03-20	9.1.3	Upgrade to TopBraid EDG 8.5.3, 9.0.3, 9.1.3, or later, when available.
high	CVE-2026-40895	SNYK-JS-FOLLOWREDIRECTS-16032162	follow-redirects	1.15.9	Improper Removal of Sensitive Information Before Storage or Transfer	2026-04-14	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-34478	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967739	org.apache.logging.log4j:log4j-core	2.25.3	Improper Output Neutralization for Logs	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Rfc5424Layout with a stream-based syslog appender should reconfigure to avoid Rfc5424Layout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34480	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967769	org.apache.logging.log4j:log4j-core	2.25.3	Improper Encoding or Escaping of Output	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use XmlLayout should reconfigure to avoid XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34479	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967804	org.apache.logging.log4j:log4j-core	2.25.3	Improper Encoding or Escaping of Output	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Log4j1XmlLayout should reconfigure to avoid Log4j1XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-40175	SNYK-JS-AXIOS-15969258	axios	1.13.2	HTTP Response Splitting	2026-04-10	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-4800	SNYK-JS-LODASH-15869625	lodash	4.17.23	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-4800	SNYK-JS-LODASHES-15869627	lodash-es	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33870	SNYK-JAVA-IONETTY-15789756	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33871	SNYK-JAVA-IONETTY-15789758	io.netty:netty-codec-http2	4.2.9.Final	Allocation of Resources Without Limits or Throttling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-25639	SNYK-JS-AXIOS-15252993	axios	1.13.2	Prototype Pollution	2026-02-09	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
medium	CVE-2026-34477	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967727	org.apache.logging.log4j:log4j-core	2.25.3	Improper Validation of Certificate with Host Mismatch	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use SocketAppender, SmtpAppender, or SyslogAppender with TLS should reconfigure to avoid those appenders, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
medium	CVE-2026-2950	SNYK-JS-LODASH-15869619	lodash	4.17.23	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-2950	SNYK-JS-LODASHES-15869621	lodash-es	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-0540	SNYK-JS-DOMPURIFY-15371376	dompurify	3.3.0	Cross-site Scripting (XSS)	2026-03-03	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
medium	CVE-2025-13465	SNYK-JS-LODASHES-15053836	lodash-es	4.17.21	Prototype Pollution	2026-01-21	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-2327	SNYK-JS-MARKDOWNIT-10666750	markdown-it	14.1.0	Regular Expression Denial of Service (ReDoS)	2025-07-05	9.1.6	Upgrade to TopBraid EDG 9.1.6 or later.
medium	CVE-2025-6493	SNYK-JS-CODEMIRROR-10494092	codemirror	5.65.18	Regular Expression Denial of Service (ReDoS)	2025-06-22	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
low	CVE-2026-22735	SNYK-JAVA-ORGSPRINGFRAMEWORK-15701755	org.springframework:spring-web	6.2.12	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	2026-03-19	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.

Not affected (52)

Component present in the product, but not exploitable.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Justification
critical	CVE-2026-42264	SNYK-JS-AXIOS-16417750	axios	1.13.2	Prototype Pollution	2026-05-05	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42035	SNYK-JS-AXIOS-16298058	axios	1.13.2	HTTP Response Splitting	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42033	SNYK-JS-AXIOS-16299904	axios	1.13.2	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-5588	SNYK-JAVA-ORGBOUNCYCASTLE-16075260	org.bouncycastle:bcpkix-jdk18on	1.81.1	Improper Verification of Cryptographic Signature	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
critical	(none)	SNYK-JS-JQUERYFORM-574783	jquery-form	3.50.0	Cross-site Scripting (XSS)	2015-04-10	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42583	SNYK-JAVA-IONETTY-16438323	io.netty:netty-codec-compression	4.2.9.Final	Allocation of Resources Without Limits or Throttling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42585	SNYK-JAVA-IONETTY-16438737	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42584	SNYK-JAVA-IONETTY-16438923	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438929	io.netty:netty-codec-http2	4.2.9.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438931	io.netty:netty-codec-compression	4.2.9.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42581	SNYK-JAVA-IONETTY-16438934	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42577	SNYK-JAVA-IONETTY-16438936	io.netty:netty-transport-classes-epoll	4.2.9.Final	Missing Release of Resource after Effective Lifetime	2026-05-06	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42027	SNYK-JAVA-ORGAPACHEOPENNLP-16419373	org.apache.opennlp:opennlp-tools	2.5.7	Unsafe Reflection	2026-05-04	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-40682	SNYK-JAVA-ORGAPACHEOPENNLP-16419377	org.apache.opennlp:opennlp-tools	2.5.7	XML External Entity (XXE) Injection	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42440	SNYK-JAVA-ORGAPACHEOPENNLP-16535521	org.apache.opennlp:opennlp-tools	2.5.7	Memory Allocation with Excessive Size Value	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42044	SNYK-JS-AXIOS-16299921	axios	1.13.2	Improperly Controlled Modification of Dynamically-Determined Object Attributes	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42039	SNYK-JS-AXIOS-16299923	axios	1.13.2	Uncontrolled Recursion	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-22740	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109615	org.springframework:spring-web	6.2.12	Incomplete Cleanup	2026-04-17	9.1.5	vulnerable_code_not_in_execute_path
high	CVE-2026-5598	SNYK-JAVA-ORGBOUNCYCASTLE-16074612	org.bouncycastle:bcprov-jdk18on	1.81	Timing Attack	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2025-14813	SNYK-JAVA-ORGBOUNCYCASTLE-16075266	org.bouncycastle:bcprov-jdk18on	1.81	Use of a Broken or Risky Cryptographic Algorithm	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551	com.fasterxml.jackson.core:jackson-core	2.20.0	Allocation of Resources Without Limits or Throttling	2026-04-04	9.1.3	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924	com.fasterxml.jackson.core:jackson-core	2.20.0	Allocation of Resources Without Limits or Throttling	2026-02-28	9.1.3	vulnerable_code_not_in_execute_path
high	CVE-2025-68280	SNYK-JAVA-ORGAPACHESISCORE-14874786	org.apache.sis.core:sis-metadata	1.4	XML External Entity (XXE) Injection	2026-01-05		vulnerable_code_not_in_execute_path
high	CVE-2021-23370	SNYK-JS-SWIPER-1088062	swiper	3.4.1	Prototype Pollution	2021-03-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42580	SNYK-JAVA-IONETTY-16438926	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41417	SNYK-JAVA-IONETTY-16425695	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-05	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-43869	SNYK-JAVA-ORGAPACHETHRIFT-16432027	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-05-05	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-41603	SNYK-JAVA-ORGAPACHETHRIFT-16323114	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-04-28	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-42040	SNYK-JS-AXIOS-16298055	axios	1.13.2	Improper Encoding or Escaping of Output	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42038	SNYK-JS-AXIOS-16298095	axios	1.13.2	Server-side Request Forgery (SSRF)	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42034	SNYK-JS-AXIOS-16298130	axios	1.13.2	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42036	SNYK-JS-AXIOS-16298162	axios	1.13.2	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42042	SNYK-JS-AXIOS-16299478	axios	1.13.2	Insertion of Sensitive Information Into Sent Data	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42037	SNYK-JS-AXIOS-16299819	axios	1.13.2	CRLF Injection	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42041	SNYK-JS-AXIOS-16299925	axios	1.13.2	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-40542	SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCLIENT5-16134546	org.apache.httpcomponents.client5:httpclient5	5.6	Missing Critical Step in Authentication	2026-04-23	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22746	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121176	org.springframework.security:spring-security-core	6.5.6	Information Exposure	2026-04-22	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22748	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121448	org.springframework.security:spring-security-oauth2-jose	6.5.6	Insufficient Verification of Data Authenticity	2026-04-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22751	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16120313	org.springframework.security:spring-security-core	6.5.6	Time-of-check Time-of-use (TOCTOU) Race Condition	2026-04-21	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41238	SNYK-JS-DOMPURIFY-16132234	dompurify	3.3.0	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22745	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109618	org.springframework:spring-core	6.2.12	Allocation of Resources Without Limits or Throttling	2026-04-17	9.1.5	vulnerable_code_not_in_execute_path
medium	CVE-2026-41240	SNYK-JS-DOMPURIFY-16078387	dompurify	3.3.0	Operator Precedence Logic Error	2026-04-16	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-0636	SNYK-JAVA-ORGBOUNCYCASTLE-16075254	org.bouncycastle:bcprov-jdk18on	1.81	LDAP Injection	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-62718	SNYK-JS-AXIOS-15965856	axios	1.13.2	Unintended Proxy or Intermediary ('Confused Deputy')	2026-04-09	9.2.0	component_not_present
medium	(none)	SNYK-JS-DOMPURIFY-15874903	dompurify	3.3.0	Prototype Pollution	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15874905	dompurify	3.3.0	Permissive List of Allowed Inputs	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15810938	dompurify	3.3.0	Cross-site Scripting (XSS)	2026-03-27	9.1.3	vulnerable_code_not_in_execute_path
medium	CVE-2026-33532	SNYK-JS-YAML-15765520	yaml	1.10.2	Uncontrolled Recursion	2026-03-25	9.2.0	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-D3COLOR-1076592	d3-color	1.4.1	Regular Expression Denial of Service (ReDoS)	2021-02-18	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2026-41239	SNYK-JS-DOMPURIFY-16131135	dompurify	3.3.0	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2018-25050	SNYK-JS-CHOSENJS-3184933	chosen-js	1.6.2	Cross-site Scripting (XSS)	2022-12-29	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
low	CVE-2020-29582	SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744	org.jetbrains.kotlin:kotlin-stdlib	1.8.21	Information Exposure	2022-02-03		vulnerable_code_not_in_execute_path

9.1.1 (released 2026-02-17) — previous: 9.1.0

Affected (19)

The product is exposed and action should be taken.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Action statement
critical	CVE-2026-22732	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-15701796	org.springframework.security:spring-security-web	6.5.6	Use of Cache Containing Sensitive Information	2026-03-20	9.1.3	Upgrade to TopBraid EDG 8.5.3, 9.0.3, 9.1.3, or later, when available.
high	CVE-2026-40895	SNYK-JS-FOLLOWREDIRECTS-16032162	follow-redirects	1.15.9	Improper Removal of Sensitive Information Before Storage or Transfer	2026-04-14	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-34478	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967739	org.apache.logging.log4j:log4j-core	2.25.3	Improper Output Neutralization for Logs	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Rfc5424Layout with a stream-based syslog appender should reconfigure to avoid Rfc5424Layout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34480	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967769	org.apache.logging.log4j:log4j-core	2.25.3	Improper Encoding or Escaping of Output	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use XmlLayout should reconfigure to avoid XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34479	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967804	org.apache.logging.log4j:log4j-core	2.25.3	Improper Encoding or Escaping of Output	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Log4j1XmlLayout should reconfigure to avoid Log4j1XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-40175	SNYK-JS-AXIOS-15969258	axios	1.13.2	HTTP Response Splitting	2026-04-10	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-4800	SNYK-JS-LODASH-15869625	lodash	4.17.23	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-4800	SNYK-JS-LODASHES-15869627	lodash-es	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33870	SNYK-JAVA-IONETTY-15789756	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33871	SNYK-JAVA-IONETTY-15789758	io.netty:netty-codec-http2	4.2.9.Final	Allocation of Resources Without Limits or Throttling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-25639	SNYK-JS-AXIOS-15252993	axios	1.13.2	Prototype Pollution	2026-02-09	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
medium	CVE-2026-34477	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967727	org.apache.logging.log4j:log4j-core	2.25.3	Improper Validation of Certificate with Host Mismatch	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use SocketAppender, SmtpAppender, or SyslogAppender with TLS should reconfigure to avoid those appenders, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
medium	CVE-2026-2950	SNYK-JS-LODASH-15869619	lodash	4.17.23	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-2950	SNYK-JS-LODASHES-15869621	lodash-es	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-0540	SNYK-JS-DOMPURIFY-15371376	dompurify	3.3.0	Cross-site Scripting (XSS)	2026-03-03	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
medium	CVE-2025-13465	SNYK-JS-LODASHES-15053836	lodash-es	4.17.21	Prototype Pollution	2026-01-21	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-2327	SNYK-JS-MARKDOWNIT-10666750	markdown-it	14.1.0	Regular Expression Denial of Service (ReDoS)	2025-07-05	9.1.6	Upgrade to TopBraid EDG 9.1.6 or later.
medium	CVE-2025-6493	SNYK-JS-CODEMIRROR-10494092	codemirror	5.65.18	Regular Expression Denial of Service (ReDoS)	2025-06-22	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
low	CVE-2026-22735	SNYK-JAVA-ORGSPRINGFRAMEWORK-15701755	org.springframework:spring-web	6.2.12	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	2026-03-19	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.

Not affected (52)

Component present in the product, but not exploitable.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Justification
critical	CVE-2026-42264	SNYK-JS-AXIOS-16417750	axios	1.13.2	Prototype Pollution	2026-05-05	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42035	SNYK-JS-AXIOS-16298058	axios	1.13.2	HTTP Response Splitting	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42033	SNYK-JS-AXIOS-16299904	axios	1.13.2	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-5588	SNYK-JAVA-ORGBOUNCYCASTLE-16075260	org.bouncycastle:bcpkix-jdk18on	1.81.1	Improper Verification of Cryptographic Signature	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
critical	(none)	SNYK-JS-JQUERYFORM-574783	jquery-form	3.50.0	Cross-site Scripting (XSS)	2015-04-10	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42583	SNYK-JAVA-IONETTY-16438323	io.netty:netty-codec-compression	4.2.9.Final	Allocation of Resources Without Limits or Throttling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42585	SNYK-JAVA-IONETTY-16438737	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42584	SNYK-JAVA-IONETTY-16438923	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438929	io.netty:netty-codec-http2	4.2.9.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438931	io.netty:netty-codec-compression	4.2.9.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42581	SNYK-JAVA-IONETTY-16438934	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42577	SNYK-JAVA-IONETTY-16438936	io.netty:netty-transport-classes-epoll	4.2.9.Final	Missing Release of Resource after Effective Lifetime	2026-05-06	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42027	SNYK-JAVA-ORGAPACHEOPENNLP-16419373	org.apache.opennlp:opennlp-tools	2.5.7	Unsafe Reflection	2026-05-04	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-40682	SNYK-JAVA-ORGAPACHEOPENNLP-16419377	org.apache.opennlp:opennlp-tools	2.5.7	XML External Entity (XXE) Injection	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42440	SNYK-JAVA-ORGAPACHEOPENNLP-16535521	org.apache.opennlp:opennlp-tools	2.5.7	Memory Allocation with Excessive Size Value	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42044	SNYK-JS-AXIOS-16299921	axios	1.13.2	Improperly Controlled Modification of Dynamically-Determined Object Attributes	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42039	SNYK-JS-AXIOS-16299923	axios	1.13.2	Uncontrolled Recursion	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-22740	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109615	org.springframework:spring-web	6.2.12	Incomplete Cleanup	2026-04-17	9.1.5	vulnerable_code_not_in_execute_path
high	CVE-2026-5598	SNYK-JAVA-ORGBOUNCYCASTLE-16074612	org.bouncycastle:bcprov-jdk18on	1.81	Timing Attack	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2025-14813	SNYK-JAVA-ORGBOUNCYCASTLE-16075266	org.bouncycastle:bcprov-jdk18on	1.81	Use of a Broken or Risky Cryptographic Algorithm	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551	com.fasterxml.jackson.core:jackson-core	2.20.0	Allocation of Resources Without Limits or Throttling	2026-04-04	9.1.3	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924	com.fasterxml.jackson.core:jackson-core	2.20.0	Allocation of Resources Without Limits or Throttling	2026-02-28	9.1.3	vulnerable_code_not_in_execute_path
high	CVE-2025-68280	SNYK-JAVA-ORGAPACHESISCORE-14874786	org.apache.sis.core:sis-metadata	1.4	XML External Entity (XXE) Injection	2026-01-05		vulnerable_code_not_in_execute_path
high	CVE-2021-23370	SNYK-JS-SWIPER-1088062	swiper	3.4.1	Prototype Pollution	2021-03-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42580	SNYK-JAVA-IONETTY-16438926	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41417	SNYK-JAVA-IONETTY-16425695	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-05	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-43869	SNYK-JAVA-ORGAPACHETHRIFT-16432027	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-05-05	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-41603	SNYK-JAVA-ORGAPACHETHRIFT-16323114	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-04-28	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-42040	SNYK-JS-AXIOS-16298055	axios	1.13.2	Improper Encoding or Escaping of Output	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42038	SNYK-JS-AXIOS-16298095	axios	1.13.2	Server-side Request Forgery (SSRF)	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42034	SNYK-JS-AXIOS-16298130	axios	1.13.2	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42036	SNYK-JS-AXIOS-16298162	axios	1.13.2	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42042	SNYK-JS-AXIOS-16299478	axios	1.13.2	Insertion of Sensitive Information Into Sent Data	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42037	SNYK-JS-AXIOS-16299819	axios	1.13.2	CRLF Injection	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42041	SNYK-JS-AXIOS-16299925	axios	1.13.2	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-40542	SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCLIENT5-16134546	org.apache.httpcomponents.client5:httpclient5	5.6	Missing Critical Step in Authentication	2026-04-23	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22746	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121176	org.springframework.security:spring-security-core	6.5.6	Information Exposure	2026-04-22	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22748	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121448	org.springframework.security:spring-security-oauth2-jose	6.5.6	Insufficient Verification of Data Authenticity	2026-04-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22751	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16120313	org.springframework.security:spring-security-core	6.5.6	Time-of-check Time-of-use (TOCTOU) Race Condition	2026-04-21	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41238	SNYK-JS-DOMPURIFY-16132234	dompurify	3.3.0	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22745	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109618	org.springframework:spring-core	6.2.12	Allocation of Resources Without Limits or Throttling	2026-04-17	9.1.5	vulnerable_code_not_in_execute_path
medium	CVE-2026-41240	SNYK-JS-DOMPURIFY-16078387	dompurify	3.3.0	Operator Precedence Logic Error	2026-04-16	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-0636	SNYK-JAVA-ORGBOUNCYCASTLE-16075254	org.bouncycastle:bcprov-jdk18on	1.81	LDAP Injection	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-62718	SNYK-JS-AXIOS-15965856	axios	1.13.2	Unintended Proxy or Intermediary ('Confused Deputy')	2026-04-09	9.2.0	component_not_present
medium	(none)	SNYK-JS-DOMPURIFY-15874903	dompurify	3.3.0	Prototype Pollution	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15874905	dompurify	3.3.0	Permissive List of Allowed Inputs	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15810938	dompurify	3.3.0	Cross-site Scripting (XSS)	2026-03-27	9.1.3	vulnerable_code_not_in_execute_path
medium	CVE-2026-33532	SNYK-JS-YAML-15765520	yaml	1.10.2	Uncontrolled Recursion	2026-03-25	9.2.0	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-D3COLOR-1076592	d3-color	1.4.1	Regular Expression Denial of Service (ReDoS)	2021-02-18	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2026-41239	SNYK-JS-DOMPURIFY-16131135	dompurify	3.3.0	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2018-25050	SNYK-JS-CHOSENJS-3184933	chosen-js	1.6.2	Cross-site Scripting (XSS)	2022-12-29	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
low	CVE-2020-29582	SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744	org.jetbrains.kotlin:kotlin-stdlib	1.8.21	Information Exposure	2022-02-03		vulnerable_code_not_in_execute_path

9.1.0 (released 2026-02-03) — previous: 9.0.3

Affected (19)

The product is exposed and action should be taken.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Action statement
critical	CVE-2026-22732	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-15701796	org.springframework.security:spring-security-web	6.5.6	Use of Cache Containing Sensitive Information	2026-03-20	9.1.3	Upgrade to TopBraid EDG 8.5.3, 9.0.3, 9.1.3, or later, when available.
high	CVE-2026-40895	SNYK-JS-FOLLOWREDIRECTS-16032162	follow-redirects	1.15.9	Improper Removal of Sensitive Information Before Storage or Transfer	2026-04-14	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-34478	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967739	org.apache.logging.log4j:log4j-core	2.25.3	Improper Output Neutralization for Logs	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Rfc5424Layout with a stream-based syslog appender should reconfigure to avoid Rfc5424Layout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34480	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967769	org.apache.logging.log4j:log4j-core	2.25.3	Improper Encoding or Escaping of Output	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use XmlLayout should reconfigure to avoid XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34479	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967804	org.apache.logging.log4j:log4j-core	2.25.3	Improper Encoding or Escaping of Output	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Log4j1XmlLayout should reconfigure to avoid Log4j1XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-40175	SNYK-JS-AXIOS-15969258	axios	1.13.2	HTTP Response Splitting	2026-04-10	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-4800	SNYK-JS-LODASH-15869625	lodash	4.17.23	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-4800	SNYK-JS-LODASHES-15869627	lodash-es	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33870	SNYK-JAVA-IONETTY-15789756	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33871	SNYK-JAVA-IONETTY-15789758	io.netty:netty-codec-http2	4.2.9.Final	Allocation of Resources Without Limits or Throttling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-25639	SNYK-JS-AXIOS-15252993	axios	1.13.2	Prototype Pollution	2026-02-09	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
medium	CVE-2026-34477	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967727	org.apache.logging.log4j:log4j-core	2.25.3	Improper Validation of Certificate with Host Mismatch	2026-04-10	9.1.5	The default configuration is not exposed. Customers who have customised their Log4j configuration to use SocketAppender, SmtpAppender, or SyslogAppender with TLS should reconfigure to avoid those appenders, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
medium	CVE-2026-2950	SNYK-JS-LODASH-15869619	lodash	4.17.23	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-2950	SNYK-JS-LODASHES-15869621	lodash-es	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-0540	SNYK-JS-DOMPURIFY-15371376	dompurify	3.3.0	Cross-site Scripting (XSS)	2026-03-03	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
medium	CVE-2025-13465	SNYK-JS-LODASHES-15053836	lodash-es	4.17.21	Prototype Pollution	2026-01-21	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-2327	SNYK-JS-MARKDOWNIT-10666750	markdown-it	14.1.0	Regular Expression Denial of Service (ReDoS)	2025-07-05	9.1.6	Upgrade to TopBraid EDG 9.1.6 or later.
medium	CVE-2025-6493	SNYK-JS-CODEMIRROR-10494092	codemirror	5.65.18	Regular Expression Denial of Service (ReDoS)	2025-06-22	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
low	CVE-2026-22735	SNYK-JAVA-ORGSPRINGFRAMEWORK-15701755	org.springframework:spring-web	6.2.12	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	2026-03-19	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.

Not affected (52)

Component present in the product, but not exploitable.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Justification
critical	CVE-2026-42264	SNYK-JS-AXIOS-16417750	axios	1.13.2	Prototype Pollution	2026-05-05	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42035	SNYK-JS-AXIOS-16298058	axios	1.13.2	HTTP Response Splitting	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42033	SNYK-JS-AXIOS-16299904	axios	1.13.2	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-5588	SNYK-JAVA-ORGBOUNCYCASTLE-16075260	org.bouncycastle:bcpkix-jdk18on	1.81.1	Improper Verification of Cryptographic Signature	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
critical	(none)	SNYK-JS-JQUERYFORM-574783	jquery-form	3.50.0	Cross-site Scripting (XSS)	2015-04-10	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42583	SNYK-JAVA-IONETTY-16438323	io.netty:netty-codec-compression	4.2.9.Final	Allocation of Resources Without Limits or Throttling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42585	SNYK-JAVA-IONETTY-16438737	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42584	SNYK-JAVA-IONETTY-16438923	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438929	io.netty:netty-codec-http2	4.2.9.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438931	io.netty:netty-codec-compression	4.2.9.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42581	SNYK-JAVA-IONETTY-16438934	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42577	SNYK-JAVA-IONETTY-16438936	io.netty:netty-transport-classes-epoll	4.2.9.Final	Missing Release of Resource after Effective Lifetime	2026-05-06	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42027	SNYK-JAVA-ORGAPACHEOPENNLP-16419373	org.apache.opennlp:opennlp-tools	2.5.7	Unsafe Reflection	2026-05-04	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-40682	SNYK-JAVA-ORGAPACHEOPENNLP-16419377	org.apache.opennlp:opennlp-tools	2.5.7	XML External Entity (XXE) Injection	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42440	SNYK-JAVA-ORGAPACHEOPENNLP-16535521	org.apache.opennlp:opennlp-tools	2.5.7	Memory Allocation with Excessive Size Value	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42044	SNYK-JS-AXIOS-16299921	axios	1.13.2	Improperly Controlled Modification of Dynamically-Determined Object Attributes	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42039	SNYK-JS-AXIOS-16299923	axios	1.13.2	Uncontrolled Recursion	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-22740	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109615	org.springframework:spring-web	6.2.12	Incomplete Cleanup	2026-04-17	9.1.5	vulnerable_code_not_in_execute_path
high	CVE-2026-5598	SNYK-JAVA-ORGBOUNCYCASTLE-16074612	org.bouncycastle:bcprov-jdk18on	1.81	Timing Attack	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2025-14813	SNYK-JAVA-ORGBOUNCYCASTLE-16075266	org.bouncycastle:bcprov-jdk18on	1.81	Use of a Broken or Risky Cryptographic Algorithm	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551	com.fasterxml.jackson.core:jackson-core	2.20.0	Allocation of Resources Without Limits or Throttling	2026-04-04	9.1.3	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924	com.fasterxml.jackson.core:jackson-core	2.20.0	Allocation of Resources Without Limits or Throttling	2026-02-28	9.1.3	vulnerable_code_not_in_execute_path
high	CVE-2025-68280	SNYK-JAVA-ORGAPACHESISCORE-14874786	org.apache.sis.core:sis-metadata	1.4	XML External Entity (XXE) Injection	2026-01-05		vulnerable_code_not_in_execute_path
high	CVE-2021-23370	SNYK-JS-SWIPER-1088062	swiper	3.4.1	Prototype Pollution	2021-03-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42580	SNYK-JAVA-IONETTY-16438926	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41417	SNYK-JAVA-IONETTY-16425695	io.netty:netty-codec-http	4.2.9.Final	HTTP Request Smuggling	2026-05-05	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-43869	SNYK-JAVA-ORGAPACHETHRIFT-16432027	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-05-05	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-41603	SNYK-JAVA-ORGAPACHETHRIFT-16323114	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-04-28	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-42040	SNYK-JS-AXIOS-16298055	axios	1.13.2	Improper Encoding or Escaping of Output	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42038	SNYK-JS-AXIOS-16298095	axios	1.13.2	Server-side Request Forgery (SSRF)	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42034	SNYK-JS-AXIOS-16298130	axios	1.13.2	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42036	SNYK-JS-AXIOS-16298162	axios	1.13.2	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42042	SNYK-JS-AXIOS-16299478	axios	1.13.2	Insertion of Sensitive Information Into Sent Data	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42037	SNYK-JS-AXIOS-16299819	axios	1.13.2	CRLF Injection	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42041	SNYK-JS-AXIOS-16299925	axios	1.13.2	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-40542	SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCLIENT5-16134546	org.apache.httpcomponents.client5:httpclient5	5.6	Missing Critical Step in Authentication	2026-04-23	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22746	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121176	org.springframework.security:spring-security-core	6.5.6	Information Exposure	2026-04-22	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22748	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121448	org.springframework.security:spring-security-oauth2-jose	6.5.6	Insufficient Verification of Data Authenticity	2026-04-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22751	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16120313	org.springframework.security:spring-security-core	6.5.6	Time-of-check Time-of-use (TOCTOU) Race Condition	2026-04-21	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41238	SNYK-JS-DOMPURIFY-16132234	dompurify	3.3.0	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22745	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109618	org.springframework:spring-core	6.2.12	Allocation of Resources Without Limits or Throttling	2026-04-17	9.1.5	vulnerable_code_not_in_execute_path
medium	CVE-2026-41240	SNYK-JS-DOMPURIFY-16078387	dompurify	3.3.0	Operator Precedence Logic Error	2026-04-16	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-0636	SNYK-JAVA-ORGBOUNCYCASTLE-16075254	org.bouncycastle:bcprov-jdk18on	1.81	LDAP Injection	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-62718	SNYK-JS-AXIOS-15965856	axios	1.13.2	Unintended Proxy or Intermediary ('Confused Deputy')	2026-04-09	9.2.0	component_not_present
medium	(none)	SNYK-JS-DOMPURIFY-15874903	dompurify	3.3.0	Prototype Pollution	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15874905	dompurify	3.3.0	Permissive List of Allowed Inputs	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15810938	dompurify	3.3.0	Cross-site Scripting (XSS)	2026-03-27	9.1.3	vulnerable_code_not_in_execute_path
medium	CVE-2026-33532	SNYK-JS-YAML-15765520	yaml	1.10.2	Uncontrolled Recursion	2026-03-25	9.2.0	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-D3COLOR-1076592	d3-color	1.4.1	Regular Expression Denial of Service (ReDoS)	2021-02-18	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2026-41239	SNYK-JS-DOMPURIFY-16131135	dompurify	3.3.0	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2018-25050	SNYK-JS-CHOSENJS-3184933	chosen-js	1.6.2	Cross-site Scripting (XSS)	2022-12-29	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
low	CVE-2020-29582	SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744	org.jetbrains.kotlin:kotlin-stdlib	1.8.21	Information Exposure	2022-02-03		vulnerable_code_not_in_execute_path

Fixed (8)

Previous release was affected, but this one is not.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed
high	CVE-2025-68470	SNYK-JS-REACTROUTER-14908286	react-router	7.6.0	Open Redirect	2026-01-08
high	CVE-2026-22029	SNYK-JS-REACTROUTER-14908531	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08
high	CVE-2025-55163	SNYK-JAVA-IOGRPC-13786834	io.grpc:grpc-netty-shaded	1.68.0	Allocation of Resources Without Limits or Throttling	2025-08-13
medium	CVE-2025-13465	SNYK-JS-LODASH-15053838	lodash	4.17.21	Prototype Pollution	2026-01-21
medium	CVE-2025-59057	SNYK-JS-REACTROUTER-14908289	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08
medium	CVE-2026-21884	SNYK-JS-REACTROUTER-14908293	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08
medium	CVE-2026-22030	SNYK-JS-REACTROUTER-14908429	react-router	7.6.0	Cross-site Request Forgery (CSRF)	2026-01-08
medium	CVE-2025-67735	SNYK-JAVA-IONETTY-14423947	io.netty:netty-codec-http	4.2.6.Final	CRLF Injection	2025-12-15

9.0.3 (released 2026-05-07) — previous: 9.0.2

Affected (21)

The product is exposed and action should be taken.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Action statement
high	CVE-2026-40895	SNYK-JS-FOLLOWREDIRECTS-16032162	follow-redirects	1.15.9	Improper Removal of Sensitive Information Before Storage or Transfer	2026-04-14	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-40175	SNYK-JS-AXIOS-15969258	axios	1.12.2	HTTP Response Splitting	2026-04-10	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-4800	SNYK-JS-LODASH-15869625	lodash	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-4800	SNYK-JS-LODASHES-15869627	lodash-es	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33870	SNYK-JAVA-IONETTY-15789756	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33871	SNYK-JAVA-IONETTY-15789758	io.netty:netty-codec-http2	4.2.6.Final	Allocation of Resources Without Limits or Throttling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-25639	SNYK-JS-AXIOS-15252993	axios	1.12.2	Prototype Pollution	2026-02-09	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
high	CVE-2025-68470	SNYK-JS-REACTROUTER-14908286	react-router	7.6.0	Open Redirect	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
high	CVE-2026-22029	SNYK-JS-REACTROUTER-14908531	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
high	CVE-2025-55163	SNYK-JAVA-IOGRPC-13786834	io.grpc:grpc-netty-shaded	1.68.0	Allocation of Resources Without Limits or Throttling	2025-08-13	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-2950	SNYK-JS-LODASH-15869619	lodash	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-2950	SNYK-JS-LODASHES-15869621	lodash-es	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-0540	SNYK-JS-DOMPURIFY-15371376	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-03-03	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
medium	CVE-2025-13465	SNYK-JS-LODASH-15053838	lodash	4.17.21	Prototype Pollution	2026-01-21	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2025-13465	SNYK-JS-LODASHES-15053836	lodash-es	4.17.21	Prototype Pollution	2026-01-21	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2025-59057	SNYK-JS-REACTROUTER-14908289	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-21884	SNYK-JS-REACTROUTER-14908293	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-22030	SNYK-JS-REACTROUTER-14908429	react-router	7.6.0	Cross-site Request Forgery (CSRF)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2025-67735	SNYK-JAVA-IONETTY-14423947	io.netty:netty-codec-http	4.2.6.Final	CRLF Injection	2025-12-15	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-2327	SNYK-JS-MARKDOWNIT-10666750	markdown-it	14.1.0	Regular Expression Denial of Service (ReDoS)	2025-07-05	9.1.6	Upgrade to TopBraid EDG 9.1.6 or later.
medium	CVE-2025-6493	SNYK-JS-CODEMIRROR-10494092	codemirror	5.65.18	Regular Expression Denial of Service (ReDoS)	2025-06-22	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.

Not affected (50)

Component present in the product, but not exploitable.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Justification
critical	CVE-2026-42264	SNYK-JS-AXIOS-16417750	axios	1.12.2	Prototype Pollution	2026-05-05	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42035	SNYK-JS-AXIOS-16298058	axios	1.12.2	HTTP Response Splitting	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42033	SNYK-JS-AXIOS-16299904	axios	1.12.2	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-5588	SNYK-JAVA-ORGBOUNCYCASTLE-16075260	org.bouncycastle:bcpkix-jdk18on	1.81.1	Improper Verification of Cryptographic Signature	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
critical	(none)	SNYK-JS-JQUERYFORM-574783	jquery-form	3.50.0	Cross-site Scripting (XSS)	2015-04-10	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42583	SNYK-JAVA-IONETTY-16438323	io.netty:netty-codec-compression	4.2.6.Final	Allocation of Resources Without Limits or Throttling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42585	SNYK-JAVA-IONETTY-16438737	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42584	SNYK-JAVA-IONETTY-16438923	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438929	io.netty:netty-codec-http2	4.2.6.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438931	io.netty:netty-codec-compression	4.2.6.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42581	SNYK-JAVA-IONETTY-16438934	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42577	SNYK-JAVA-IONETTY-16438936	io.netty:netty-transport-classes-epoll	4.2.6.Final	Missing Release of Resource after Effective Lifetime	2026-05-06	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42027	SNYK-JAVA-ORGAPACHEOPENNLP-16419373	org.apache.opennlp:opennlp-tools	2.5.5	Unsafe Reflection	2026-05-04	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-40682	SNYK-JAVA-ORGAPACHEOPENNLP-16419377	org.apache.opennlp:opennlp-tools	2.5.5	XML External Entity (XXE) Injection	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42440	SNYK-JAVA-ORGAPACHEOPENNLP-16535521	org.apache.opennlp:opennlp-tools	2.5.5	Memory Allocation with Excessive Size Value	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42044	SNYK-JS-AXIOS-16299921	axios	1.12.2	Improperly Controlled Modification of Dynamically-Determined Object Attributes	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42039	SNYK-JS-AXIOS-16299923	axios	1.12.2	Uncontrolled Recursion	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-5598	SNYK-JAVA-ORGBOUNCYCASTLE-16074612	org.bouncycastle:bcprov-jdk18on	1.81	Timing Attack	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2025-14813	SNYK-JAVA-ORGBOUNCYCASTLE-16075266	org.bouncycastle:bcprov-jdk18on	1.81	Use of a Broken or Risky Cryptographic Algorithm	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551	com.fasterxml.jackson.core:jackson-core	2.20.0	Allocation of Resources Without Limits or Throttling	2026-04-04	9.1.3	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924	com.fasterxml.jackson.core:jackson-core	2.20.0	Allocation of Resources Without Limits or Throttling	2026-02-28	9.1.3	vulnerable_code_not_in_execute_path
high	CVE-2025-68280	SNYK-JAVA-ORGAPACHESISCORE-14874786	org.apache.sis.core:sis-metadata	1.4	XML External Entity (XXE) Injection	2026-01-05		vulnerable_code_not_in_execute_path
high	CVE-2021-23370	SNYK-JS-SWIPER-1088062	swiper	3.4.1	Prototype Pollution	2021-03-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42580	SNYK-JAVA-IONETTY-16438926	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41417	SNYK-JAVA-IONETTY-16425695	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-05	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-43869	SNYK-JAVA-ORGAPACHETHRIFT-16432027	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-05-05	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-41603	SNYK-JAVA-ORGAPACHETHRIFT-16323114	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-04-28	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-42040	SNYK-JS-AXIOS-16298055	axios	1.12.2	Improper Encoding or Escaping of Output	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42038	SNYK-JS-AXIOS-16298095	axios	1.12.2	Server-side Request Forgery (SSRF)	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42034	SNYK-JS-AXIOS-16298130	axios	1.12.2	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42036	SNYK-JS-AXIOS-16298162	axios	1.12.2	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42042	SNYK-JS-AXIOS-16299478	axios	1.12.2	Insertion of Sensitive Information Into Sent Data	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42037	SNYK-JS-AXIOS-16299819	axios	1.12.2	CRLF Injection	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42041	SNYK-JS-AXIOS-16299925	axios	1.12.2	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22746	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121176	org.springframework.security:spring-security-core	6.5.9	Information Exposure	2026-04-22	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22748	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121448	org.springframework.security:spring-security-oauth2-jose	6.5.9	Insufficient Verification of Data Authenticity	2026-04-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22751	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16120313	org.springframework.security:spring-security-core	6.5.9	Time-of-check Time-of-use (TOCTOU) Race Condition	2026-04-21	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41238	SNYK-JS-DOMPURIFY-16132234	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41240	SNYK-JS-DOMPURIFY-16078387	dompurify	3.2.6	Operator Precedence Logic Error	2026-04-16	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-0636	SNYK-JAVA-ORGBOUNCYCASTLE-16075254	org.bouncycastle:bcprov-jdk18on	1.81	LDAP Injection	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-62718	SNYK-JS-AXIOS-15965856	axios	1.12.2	Unintended Proxy or Intermediary ('Confused Deputy')	2026-04-09	9.2.0	component_not_present
medium	(none)	SNYK-JS-DOMPURIFY-15874903	dompurify	3.2.6	Prototype Pollution	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15874905	dompurify	3.2.6	Permissive List of Allowed Inputs	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15810938	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-03-27	9.1.3	vulnerable_code_not_in_execute_path
medium	CVE-2026-33532	SNYK-JS-YAML-15765520	yaml	1.10.2	Uncontrolled Recursion	2026-03-25	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-15599	SNYK-JS-DOMPURIFY-15371386	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-03-03	9.1.0	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-D3COLOR-1076592	d3-color	1.4.1	Regular Expression Denial of Service (ReDoS)	2021-02-18	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2026-41239	SNYK-JS-DOMPURIFY-16131135	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2018-25050	SNYK-JS-CHOSENJS-3184933	chosen-js	1.6.2	Cross-site Scripting (XSS)	2022-12-29	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
low	CVE-2020-29582	SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744	org.jetbrains.kotlin:kotlin-stdlib	1.8.21	Information Exposure	2022-02-03		vulnerable_code_not_in_execute_path

Fixed (7)

Previous release was affected, but this one is not.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed
critical	CVE-2026-22732	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-15701796	org.springframework.security:spring-security-web	6.5.5	Use of Cache Containing Sensitive Information	2026-03-20
high	CVE-2026-34478	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967739	org.apache.logging.log4j:log4j-core	2.25.2	Improper Output Neutralization for Logs	2026-04-10
high	CVE-2026-34480	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967769	org.apache.logging.log4j:log4j-core	2.25.2	Improper Encoding or Escaping of Output	2026-04-10
high	CVE-2026-34479	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967804	org.apache.logging.log4j:log4j-core	2.25.2	Improper Encoding or Escaping of Output	2026-04-10
medium	CVE-2026-34477	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967727	org.apache.logging.log4j:log4j-core	2.25.2	Improper Validation of Certificate with Host Mismatch	2026-04-10
medium	CVE-2025-68161	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782	org.apache.logging.log4j:log4j-core	2.25.2	Improper Validation of Certificate with Host Mismatch	2025-12-18
low	CVE-2026-22735	SNYK-JAVA-ORGSPRINGFRAMEWORK-15701755	org.springframework:spring-web	6.2.11	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	2026-03-19

9.0.2 (released 2025-12-18) — previous: 9.0.1

Affected (28)

The product is exposed and action should be taken.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Action statement
critical	CVE-2026-22732	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-15701796	org.springframework.security:spring-security-web	6.5.5	Use of Cache Containing Sensitive Information	2026-03-20	9.0.3	Upgrade to TopBraid EDG 8.5.3, 9.0.3, 9.1.3, or later, when available.
high	CVE-2026-40895	SNYK-JS-FOLLOWREDIRECTS-16032162	follow-redirects	1.15.9	Improper Removal of Sensitive Information Before Storage or Transfer	2026-04-14	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-34478	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967739	org.apache.logging.log4j:log4j-core	2.25.2	Improper Output Neutralization for Logs	2026-04-10	9.0.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Rfc5424Layout with a stream-based syslog appender should reconfigure to avoid Rfc5424Layout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34480	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967769	org.apache.logging.log4j:log4j-core	2.25.2	Improper Encoding or Escaping of Output	2026-04-10	9.0.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use XmlLayout should reconfigure to avoid XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34479	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967804	org.apache.logging.log4j:log4j-core	2.25.2	Improper Encoding or Escaping of Output	2026-04-10	9.0.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Log4j1XmlLayout should reconfigure to avoid Log4j1XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-40175	SNYK-JS-AXIOS-15969258	axios	1.12.2	HTTP Response Splitting	2026-04-10	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-4800	SNYK-JS-LODASH-15869625	lodash	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-4800	SNYK-JS-LODASHES-15869627	lodash-es	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33870	SNYK-JAVA-IONETTY-15789756	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33871	SNYK-JAVA-IONETTY-15789758	io.netty:netty-codec-http2	4.2.6.Final	Allocation of Resources Without Limits or Throttling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-25639	SNYK-JS-AXIOS-15252993	axios	1.12.2	Prototype Pollution	2026-02-09	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
high	CVE-2025-68470	SNYK-JS-REACTROUTER-14908286	react-router	7.6.0	Open Redirect	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
high	CVE-2026-22029	SNYK-JS-REACTROUTER-14908531	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
high	CVE-2025-55163	SNYK-JAVA-IOGRPC-13786834	io.grpc:grpc-netty-shaded	1.68.0	Allocation of Resources Without Limits or Throttling	2025-08-13	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-34477	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967727	org.apache.logging.log4j:log4j-core	2.25.2	Improper Validation of Certificate with Host Mismatch	2026-04-10	9.0.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use SocketAppender, SmtpAppender, or SyslogAppender with TLS should reconfigure to avoid those appenders, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
medium	CVE-2026-2950	SNYK-JS-LODASH-15869619	lodash	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-2950	SNYK-JS-LODASHES-15869621	lodash-es	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-0540	SNYK-JS-DOMPURIFY-15371376	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-03-03	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
medium	CVE-2025-13465	SNYK-JS-LODASH-15053838	lodash	4.17.21	Prototype Pollution	2026-01-21	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2025-13465	SNYK-JS-LODASHES-15053836	lodash-es	4.17.21	Prototype Pollution	2026-01-21	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2025-59057	SNYK-JS-REACTROUTER-14908289	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-21884	SNYK-JS-REACTROUTER-14908293	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-22030	SNYK-JS-REACTROUTER-14908429	react-router	7.6.0	Cross-site Request Forgery (CSRF)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2025-68161	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782	org.apache.logging.log4j:log4j-core	2.25.2	Improper Validation of Certificate with Host Mismatch	2025-12-18	9.0.3	Upgrade to TopBraid EDG 9.0.3 or later.
medium	CVE-2025-67735	SNYK-JAVA-IONETTY-14423947	io.netty:netty-codec-http	4.2.6.Final	CRLF Injection	2025-12-15	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-2327	SNYK-JS-MARKDOWNIT-10666750	markdown-it	14.1.0	Regular Expression Denial of Service (ReDoS)	2025-07-05	9.1.6	Upgrade to TopBraid EDG 9.1.6 or later.
medium	CVE-2025-6493	SNYK-JS-CODEMIRROR-10494092	codemirror	5.65.18	Regular Expression Denial of Service (ReDoS)	2025-06-22	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
low	CVE-2026-22735	SNYK-JAVA-ORGSPRINGFRAMEWORK-15701755	org.springframework:spring-web	6.2.11	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	2026-03-19	9.0.3	Upgrade to TopBraid EDG 9.0.3 or later.

Not affected (52)

Component present in the product, but not exploitable.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Justification
critical	CVE-2026-42264	SNYK-JS-AXIOS-16417750	axios	1.12.2	Prototype Pollution	2026-05-05	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42035	SNYK-JS-AXIOS-16298058	axios	1.12.2	HTTP Response Splitting	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42033	SNYK-JS-AXIOS-16299904	axios	1.12.2	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-5588	SNYK-JAVA-ORGBOUNCYCASTLE-16075260	org.bouncycastle:bcpkix-jdk18on	1.81.1	Improper Verification of Cryptographic Signature	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
critical	(none)	SNYK-JS-JQUERYFORM-574783	jquery-form	3.50.0	Cross-site Scripting (XSS)	2015-04-10	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42583	SNYK-JAVA-IONETTY-16438323	io.netty:netty-codec-compression	4.2.6.Final	Allocation of Resources Without Limits or Throttling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42585	SNYK-JAVA-IONETTY-16438737	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42584	SNYK-JAVA-IONETTY-16438923	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438929	io.netty:netty-codec-http2	4.2.6.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438931	io.netty:netty-codec-compression	4.2.6.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42581	SNYK-JAVA-IONETTY-16438934	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42577	SNYK-JAVA-IONETTY-16438936	io.netty:netty-transport-classes-epoll	4.2.6.Final	Missing Release of Resource after Effective Lifetime	2026-05-06	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42027	SNYK-JAVA-ORGAPACHEOPENNLP-16419373	org.apache.opennlp:opennlp-tools	2.5.5	Unsafe Reflection	2026-05-04	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-40682	SNYK-JAVA-ORGAPACHEOPENNLP-16419377	org.apache.opennlp:opennlp-tools	2.5.5	XML External Entity (XXE) Injection	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42440	SNYK-JAVA-ORGAPACHEOPENNLP-16535521	org.apache.opennlp:opennlp-tools	2.5.5	Memory Allocation with Excessive Size Value	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42044	SNYK-JS-AXIOS-16299921	axios	1.12.2	Improperly Controlled Modification of Dynamically-Determined Object Attributes	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42039	SNYK-JS-AXIOS-16299923	axios	1.12.2	Uncontrolled Recursion	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-22740	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109615	org.springframework:spring-web	6.2.11	Incomplete Cleanup	2026-04-17	9.0.3	vulnerable_code_not_in_execute_path
high	CVE-2026-5598	SNYK-JAVA-ORGBOUNCYCASTLE-16074612	org.bouncycastle:bcprov-jdk18on	1.81	Timing Attack	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2025-14813	SNYK-JAVA-ORGBOUNCYCASTLE-16075266	org.bouncycastle:bcprov-jdk18on	1.81	Use of a Broken or Risky Cryptographic Algorithm	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551	com.fasterxml.jackson.core:jackson-core	2.20.0	Allocation of Resources Without Limits or Throttling	2026-04-04	9.1.3	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924	com.fasterxml.jackson.core:jackson-core	2.20.0	Allocation of Resources Without Limits or Throttling	2026-02-28	9.1.3	vulnerable_code_not_in_execute_path
high	CVE-2025-68280	SNYK-JAVA-ORGAPACHESISCORE-14874786	org.apache.sis.core:sis-metadata	1.4	XML External Entity (XXE) Injection	2026-01-05		vulnerable_code_not_in_execute_path
high	CVE-2021-23370	SNYK-JS-SWIPER-1088062	swiper	3.4.1	Prototype Pollution	2021-03-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42580	SNYK-JAVA-IONETTY-16438926	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41417	SNYK-JAVA-IONETTY-16425695	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-05	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-43869	SNYK-JAVA-ORGAPACHETHRIFT-16432027	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-05-05	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-41603	SNYK-JAVA-ORGAPACHETHRIFT-16323114	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-04-28	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-42040	SNYK-JS-AXIOS-16298055	axios	1.12.2	Improper Encoding or Escaping of Output	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42038	SNYK-JS-AXIOS-16298095	axios	1.12.2	Server-side Request Forgery (SSRF)	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42034	SNYK-JS-AXIOS-16298130	axios	1.12.2	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42036	SNYK-JS-AXIOS-16298162	axios	1.12.2	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42042	SNYK-JS-AXIOS-16299478	axios	1.12.2	Insertion of Sensitive Information Into Sent Data	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42037	SNYK-JS-AXIOS-16299819	axios	1.12.2	CRLF Injection	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42041	SNYK-JS-AXIOS-16299925	axios	1.12.2	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22746	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121176	org.springframework.security:spring-security-core	6.5.5	Information Exposure	2026-04-22	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22748	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121448	org.springframework.security:spring-security-oauth2-jose	6.5.5	Insufficient Verification of Data Authenticity	2026-04-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22751	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16120313	org.springframework.security:spring-security-core	6.5.5	Time-of-check Time-of-use (TOCTOU) Race Condition	2026-04-21	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41238	SNYK-JS-DOMPURIFY-16132234	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22745	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109618	org.springframework:spring-core	6.2.11	Allocation of Resources Without Limits or Throttling	2026-04-17	9.0.3	vulnerable_code_not_in_execute_path
medium	CVE-2026-41240	SNYK-JS-DOMPURIFY-16078387	dompurify	3.2.6	Operator Precedence Logic Error	2026-04-16	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-0636	SNYK-JAVA-ORGBOUNCYCASTLE-16075254	org.bouncycastle:bcprov-jdk18on	1.81	LDAP Injection	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-62718	SNYK-JS-AXIOS-15965856	axios	1.12.2	Unintended Proxy or Intermediary ('Confused Deputy')	2026-04-09	9.2.0	component_not_present
medium	(none)	SNYK-JS-DOMPURIFY-15874903	dompurify	3.2.6	Prototype Pollution	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15874905	dompurify	3.2.6	Permissive List of Allowed Inputs	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15810938	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-03-27	9.1.3	vulnerable_code_not_in_execute_path
medium	CVE-2026-33532	SNYK-JS-YAML-15765520	yaml	1.10.2	Uncontrolled Recursion	2026-03-25	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-15599	SNYK-JS-DOMPURIFY-15371386	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-03-03	9.1.0	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-D3COLOR-1076592	d3-color	1.4.1	Regular Expression Denial of Service (ReDoS)	2021-02-18	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2026-41239	SNYK-JS-DOMPURIFY-16131135	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2018-25050	SNYK-JS-CHOSENJS-3184933	chosen-js	1.6.2	Cross-site Scripting (XSS)	2022-12-29	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
low	CVE-2020-29582	SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744	org.jetbrains.kotlin:kotlin-stdlib	1.8.21	Information Exposure	2022-02-03		vulnerable_code_not_in_execute_path

Fixed (1)

Previous release was affected, but this one is not.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed
high	CVE-2026-42579	SNYK-JAVA-IONETTY-16438938	io.netty:netty-codec-dns	4.2.6.Final	Null Byte Interaction Error (Poison Null Byte)	2026-05-07

9.0.1 (released 2025-11-18) — previous: 9.0.0

Affected (29)

The product is exposed and action should be taken.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Action statement
critical	CVE-2026-22732	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-15701796	org.springframework.security:spring-security-web	6.5.5	Use of Cache Containing Sensitive Information	2026-03-20	9.0.3	Upgrade to TopBraid EDG 8.5.3, 9.0.3, 9.1.3, or later, when available.
high	CVE-2026-42579	SNYK-JAVA-IONETTY-16438938	io.netty:netty-codec-dns	4.2.6.Final	Null Byte Interaction Error (Poison Null Byte)	2026-05-07	9.0.2	Upgrade to TopBraid EDG 9.0.2 or later.
high	CVE-2026-40895	SNYK-JS-FOLLOWREDIRECTS-16032162	follow-redirects	1.15.9	Improper Removal of Sensitive Information Before Storage or Transfer	2026-04-14	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-34478	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967739	org.apache.logging.log4j:log4j-core	2.25.2	Improper Output Neutralization for Logs	2026-04-10	9.0.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Rfc5424Layout with a stream-based syslog appender should reconfigure to avoid Rfc5424Layout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34480	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967769	org.apache.logging.log4j:log4j-core	2.25.2	Improper Encoding or Escaping of Output	2026-04-10	9.0.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use XmlLayout should reconfigure to avoid XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34479	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967804	org.apache.logging.log4j:log4j-core	2.25.2	Improper Encoding or Escaping of Output	2026-04-10	9.0.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Log4j1XmlLayout should reconfigure to avoid Log4j1XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-40175	SNYK-JS-AXIOS-15969258	axios	1.12.2	HTTP Response Splitting	2026-04-10	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-4800	SNYK-JS-LODASH-15869625	lodash	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-4800	SNYK-JS-LODASHES-15869627	lodash-es	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33870	SNYK-JAVA-IONETTY-15789756	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33871	SNYK-JAVA-IONETTY-15789758	io.netty:netty-codec-http2	4.2.6.Final	Allocation of Resources Without Limits or Throttling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-25639	SNYK-JS-AXIOS-15252993	axios	1.12.2	Prototype Pollution	2026-02-09	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
high	CVE-2025-68470	SNYK-JS-REACTROUTER-14908286	react-router	7.6.0	Open Redirect	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
high	CVE-2026-22029	SNYK-JS-REACTROUTER-14908531	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
high	CVE-2025-55163	SNYK-JAVA-IOGRPC-13786834	io.grpc:grpc-netty-shaded	1.68.0	Allocation of Resources Without Limits or Throttling	2025-08-13	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-34477	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967727	org.apache.logging.log4j:log4j-core	2.25.2	Improper Validation of Certificate with Host Mismatch	2026-04-10	9.0.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use SocketAppender, SmtpAppender, or SyslogAppender with TLS should reconfigure to avoid those appenders, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
medium	CVE-2026-2950	SNYK-JS-LODASH-15869619	lodash	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-2950	SNYK-JS-LODASHES-15869621	lodash-es	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-0540	SNYK-JS-DOMPURIFY-15371376	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-03-03	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
medium	CVE-2025-13465	SNYK-JS-LODASH-15053838	lodash	4.17.21	Prototype Pollution	2026-01-21	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2025-13465	SNYK-JS-LODASHES-15053836	lodash-es	4.17.21	Prototype Pollution	2026-01-21	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2025-59057	SNYK-JS-REACTROUTER-14908289	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-21884	SNYK-JS-REACTROUTER-14908293	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-22030	SNYK-JS-REACTROUTER-14908429	react-router	7.6.0	Cross-site Request Forgery (CSRF)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2025-68161	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782	org.apache.logging.log4j:log4j-core	2.25.2	Improper Validation of Certificate with Host Mismatch	2025-12-18	9.0.3	Upgrade to TopBraid EDG 9.0.3 or later.
medium	CVE-2025-67735	SNYK-JAVA-IONETTY-14423947	io.netty:netty-codec-http	4.2.6.Final	CRLF Injection	2025-12-15	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-2327	SNYK-JS-MARKDOWNIT-10666750	markdown-it	14.1.0	Regular Expression Denial of Service (ReDoS)	2025-07-05	9.1.6	Upgrade to TopBraid EDG 9.1.6 or later.
medium	CVE-2025-6493	SNYK-JS-CODEMIRROR-10494092	codemirror	5.65.18	Regular Expression Denial of Service (ReDoS)	2025-06-22	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
low	CVE-2026-22735	SNYK-JAVA-ORGSPRINGFRAMEWORK-15701755	org.springframework:spring-web	6.2.11	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	2026-03-19	9.0.3	Upgrade to TopBraid EDG 9.0.3 or later.

Not affected (53)

Component present in the product, but not exploitable.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Justification
critical	CVE-2026-42264	SNYK-JS-AXIOS-16417750	axios	1.12.2	Prototype Pollution	2026-05-05	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42035	SNYK-JS-AXIOS-16298058	axios	1.12.2	HTTP Response Splitting	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42033	SNYK-JS-AXIOS-16299904	axios	1.12.2	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-5588	SNYK-JAVA-ORGBOUNCYCASTLE-16075260	org.bouncycastle:bcpkix-jdk18on	1.81.1	Improper Verification of Cryptographic Signature	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
critical	(none)	SNYK-JS-JQUERYFORM-574783	jquery-form	3.50.0	Cross-site Scripting (XSS)	2015-04-10	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42583	SNYK-JAVA-IONETTY-16438323	io.netty:netty-codec-compression	4.2.6.Final	Allocation of Resources Without Limits or Throttling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42585	SNYK-JAVA-IONETTY-16438737	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42584	SNYK-JAVA-IONETTY-16438923	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438929	io.netty:netty-codec-http2	4.2.6.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438931	io.netty:netty-codec-compression	4.2.6.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42581	SNYK-JAVA-IONETTY-16438934	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42577	SNYK-JAVA-IONETTY-16438936	io.netty:netty-transport-classes-epoll	4.2.6.Final	Missing Release of Resource after Effective Lifetime	2026-05-06	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42027	SNYK-JAVA-ORGAPACHEOPENNLP-16419373	org.apache.opennlp:opennlp-tools	2.5.5	Unsafe Reflection	2026-05-04	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-40682	SNYK-JAVA-ORGAPACHEOPENNLP-16419377	org.apache.opennlp:opennlp-tools	2.5.5	XML External Entity (XXE) Injection	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42440	SNYK-JAVA-ORGAPACHEOPENNLP-16535521	org.apache.opennlp:opennlp-tools	2.5.5	Memory Allocation with Excessive Size Value	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42044	SNYK-JS-AXIOS-16299921	axios	1.12.2	Improperly Controlled Modification of Dynamically-Determined Object Attributes	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42039	SNYK-JS-AXIOS-16299923	axios	1.12.2	Uncontrolled Recursion	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-22740	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109615	org.springframework:spring-web	6.2.11	Incomplete Cleanup	2026-04-17	9.0.3	vulnerable_code_not_in_execute_path
high	CVE-2026-5598	SNYK-JAVA-ORGBOUNCYCASTLE-16074612	org.bouncycastle:bcprov-jdk18on	1.81	Timing Attack	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2025-14813	SNYK-JAVA-ORGBOUNCYCASTLE-16075266	org.bouncycastle:bcprov-jdk18on	1.81	Use of a Broken or Risky Cryptographic Algorithm	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551	com.fasterxml.jackson.core:jackson-core	2.20.0	Allocation of Resources Without Limits or Throttling	2026-04-04	9.1.3	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924	com.fasterxml.jackson.core:jackson-core	2.20.0	Allocation of Resources Without Limits or Throttling	2026-02-28	9.1.3	vulnerable_code_not_in_execute_path
high	CVE-2025-68280	SNYK-JAVA-ORGAPACHESISCORE-14874786	org.apache.sis.core:sis-metadata	1.4	XML External Entity (XXE) Injection	2026-01-05		vulnerable_code_not_in_execute_path
high	CVE-2021-23370	SNYK-JS-SWIPER-1088062	swiper	3.4.1	Prototype Pollution	2021-03-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42580	SNYK-JAVA-IONETTY-16438926	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42578	SNYK-JAVA-IONETTY-16438935	io.netty:netty-handler-proxy	4.2.6.Final	CRLF Injection	2026-05-07	9.0.2	vulnerable_code_not_in_execute_path
medium	CVE-2026-41417	SNYK-JAVA-IONETTY-16425695	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-05	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-43869	SNYK-JAVA-ORGAPACHETHRIFT-16432027	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-05-05	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-41603	SNYK-JAVA-ORGAPACHETHRIFT-16323114	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-04-28	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-42040	SNYK-JS-AXIOS-16298055	axios	1.12.2	Improper Encoding or Escaping of Output	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42038	SNYK-JS-AXIOS-16298095	axios	1.12.2	Server-side Request Forgery (SSRF)	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42034	SNYK-JS-AXIOS-16298130	axios	1.12.2	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42036	SNYK-JS-AXIOS-16298162	axios	1.12.2	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42042	SNYK-JS-AXIOS-16299478	axios	1.12.2	Insertion of Sensitive Information Into Sent Data	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42037	SNYK-JS-AXIOS-16299819	axios	1.12.2	CRLF Injection	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42041	SNYK-JS-AXIOS-16299925	axios	1.12.2	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22746	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121176	org.springframework.security:spring-security-core	6.5.5	Information Exposure	2026-04-22	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22748	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121448	org.springframework.security:spring-security-oauth2-jose	6.5.5	Insufficient Verification of Data Authenticity	2026-04-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22751	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16120313	org.springframework.security:spring-security-core	6.5.5	Time-of-check Time-of-use (TOCTOU) Race Condition	2026-04-21	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41238	SNYK-JS-DOMPURIFY-16132234	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22745	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109618	org.springframework:spring-core	6.2.11	Allocation of Resources Without Limits or Throttling	2026-04-17	9.0.3	vulnerable_code_not_in_execute_path
medium	CVE-2026-41240	SNYK-JS-DOMPURIFY-16078387	dompurify	3.2.6	Operator Precedence Logic Error	2026-04-16	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-0636	SNYK-JAVA-ORGBOUNCYCASTLE-16075254	org.bouncycastle:bcprov-jdk18on	1.81	LDAP Injection	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-62718	SNYK-JS-AXIOS-15965856	axios	1.12.2	Unintended Proxy or Intermediary ('Confused Deputy')	2026-04-09	9.2.0	component_not_present
medium	(none)	SNYK-JS-DOMPURIFY-15874903	dompurify	3.2.6	Prototype Pollution	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15874905	dompurify	3.2.6	Permissive List of Allowed Inputs	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15810938	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-03-27	9.1.3	vulnerable_code_not_in_execute_path
medium	CVE-2026-33532	SNYK-JS-YAML-15765520	yaml	1.10.2	Uncontrolled Recursion	2026-03-25	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-15599	SNYK-JS-DOMPURIFY-15371386	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-03-03	9.1.0	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-D3COLOR-1076592	d3-color	1.4.1	Regular Expression Denial of Service (ReDoS)	2021-02-18	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2026-41239	SNYK-JS-DOMPURIFY-16131135	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2018-25050	SNYK-JS-CHOSENJS-3184933	chosen-js	1.6.2	Cross-site Scripting (XSS)	2022-12-29	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
low	CVE-2020-29582	SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744	org.jetbrains.kotlin:kotlin-stdlib	1.8.21	Information Exposure	2022-02-03		vulnerable_code_not_in_execute_path

9.0.0 (released 2025-11-04) — previous: 8.5.3

Affected (29)

The product is exposed and action should be taken.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Action statement
critical	CVE-2026-22732	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-15701796	org.springframework.security:spring-security-web	6.5.5	Use of Cache Containing Sensitive Information	2026-03-20	9.0.3	Upgrade to TopBraid EDG 8.5.3, 9.0.3, 9.1.3, or later, when available.
high	CVE-2026-42579	SNYK-JAVA-IONETTY-16438938	io.netty:netty-codec-dns	4.2.6.Final	Null Byte Interaction Error (Poison Null Byte)	2026-05-07	9.0.2	Upgrade to TopBraid EDG 9.0.2 or later.
high	CVE-2026-40895	SNYK-JS-FOLLOWREDIRECTS-16032162	follow-redirects	1.15.9	Improper Removal of Sensitive Information Before Storage or Transfer	2026-04-14	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-34478	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967739	org.apache.logging.log4j:log4j-core	2.25.2	Improper Output Neutralization for Logs	2026-04-10	9.0.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Rfc5424Layout with a stream-based syslog appender should reconfigure to avoid Rfc5424Layout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34480	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967769	org.apache.logging.log4j:log4j-core	2.25.2	Improper Encoding or Escaping of Output	2026-04-10	9.0.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use XmlLayout should reconfigure to avoid XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34479	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967804	org.apache.logging.log4j:log4j-core	2.25.2	Improper Encoding or Escaping of Output	2026-04-10	9.0.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Log4j1XmlLayout should reconfigure to avoid Log4j1XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-40175	SNYK-JS-AXIOS-15969258	axios	1.12.2	HTTP Response Splitting	2026-04-10	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-4800	SNYK-JS-LODASH-15869625	lodash	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-4800	SNYK-JS-LODASHES-15869627	lodash-es	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33870	SNYK-JAVA-IONETTY-15789756	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33871	SNYK-JAVA-IONETTY-15789758	io.netty:netty-codec-http2	4.2.6.Final	Allocation of Resources Without Limits or Throttling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-25639	SNYK-JS-AXIOS-15252993	axios	1.12.2	Prototype Pollution	2026-02-09	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
high	CVE-2025-68470	SNYK-JS-REACTROUTER-14908286	react-router	7.6.0	Open Redirect	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
high	CVE-2026-22029	SNYK-JS-REACTROUTER-14908531	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
high	CVE-2025-55163	SNYK-JAVA-IOGRPC-13786834	io.grpc:grpc-netty-shaded	1.68.0	Allocation of Resources Without Limits or Throttling	2025-08-13	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-34477	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967727	org.apache.logging.log4j:log4j-core	2.25.2	Improper Validation of Certificate with Host Mismatch	2026-04-10	9.0.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use SocketAppender, SmtpAppender, or SyslogAppender with TLS should reconfigure to avoid those appenders, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
medium	CVE-2026-2950	SNYK-JS-LODASH-15869619	lodash	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-2950	SNYK-JS-LODASHES-15869621	lodash-es	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-0540	SNYK-JS-DOMPURIFY-15371376	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-03-03	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
medium	CVE-2025-13465	SNYK-JS-LODASH-15053838	lodash	4.17.21	Prototype Pollution	2026-01-21	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2025-13465	SNYK-JS-LODASHES-15053836	lodash-es	4.17.21	Prototype Pollution	2026-01-21	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2025-59057	SNYK-JS-REACTROUTER-14908289	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-21884	SNYK-JS-REACTROUTER-14908293	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-22030	SNYK-JS-REACTROUTER-14908429	react-router	7.6.0	Cross-site Request Forgery (CSRF)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2025-68161	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782	org.apache.logging.log4j:log4j-core	2.25.2	Improper Validation of Certificate with Host Mismatch	2025-12-18	9.0.3	Upgrade to TopBraid EDG 9.0.3 or later.
medium	CVE-2025-67735	SNYK-JAVA-IONETTY-14423947	io.netty:netty-codec-http	4.2.6.Final	CRLF Injection	2025-12-15	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-2327	SNYK-JS-MARKDOWNIT-10666750	markdown-it	14.1.0	Regular Expression Denial of Service (ReDoS)	2025-07-05	9.1.6	Upgrade to TopBraid EDG 9.1.6 or later.
medium	CVE-2025-6493	SNYK-JS-CODEMIRROR-10494092	codemirror	5.65.18	Regular Expression Denial of Service (ReDoS)	2025-06-22	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
low	CVE-2026-22735	SNYK-JAVA-ORGSPRINGFRAMEWORK-15701755	org.springframework:spring-web	6.2.11	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	2026-03-19	9.0.3	Upgrade to TopBraid EDG 9.0.3 or later.

Not affected (53)

Component present in the product, but not exploitable.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Justification
critical	CVE-2026-42264	SNYK-JS-AXIOS-16417750	axios	1.12.2	Prototype Pollution	2026-05-05	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42035	SNYK-JS-AXIOS-16298058	axios	1.12.2	HTTP Response Splitting	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42033	SNYK-JS-AXIOS-16299904	axios	1.12.2	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-5588	SNYK-JAVA-ORGBOUNCYCASTLE-16075260	org.bouncycastle:bcpkix-jdk18on	1.81.1	Improper Verification of Cryptographic Signature	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
critical	(none)	SNYK-JS-JQUERYFORM-574783	jquery-form	3.50.0	Cross-site Scripting (XSS)	2015-04-10	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42583	SNYK-JAVA-IONETTY-16438323	io.netty:netty-codec-compression	4.2.6.Final	Allocation of Resources Without Limits or Throttling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42585	SNYK-JAVA-IONETTY-16438737	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42584	SNYK-JAVA-IONETTY-16438923	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438929	io.netty:netty-codec-http2	4.2.6.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438931	io.netty:netty-codec-compression	4.2.6.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42581	SNYK-JAVA-IONETTY-16438934	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42577	SNYK-JAVA-IONETTY-16438936	io.netty:netty-transport-classes-epoll	4.2.6.Final	Missing Release of Resource after Effective Lifetime	2026-05-06	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42027	SNYK-JAVA-ORGAPACHEOPENNLP-16419373	org.apache.opennlp:opennlp-tools	2.5.5	Unsafe Reflection	2026-05-04	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-40682	SNYK-JAVA-ORGAPACHEOPENNLP-16419377	org.apache.opennlp:opennlp-tools	2.5.5	XML External Entity (XXE) Injection	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42440	SNYK-JAVA-ORGAPACHEOPENNLP-16535521	org.apache.opennlp:opennlp-tools	2.5.5	Memory Allocation with Excessive Size Value	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42044	SNYK-JS-AXIOS-16299921	axios	1.12.2	Improperly Controlled Modification of Dynamically-Determined Object Attributes	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42039	SNYK-JS-AXIOS-16299923	axios	1.12.2	Uncontrolled Recursion	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-22740	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109615	org.springframework:spring-web	6.2.11	Incomplete Cleanup	2026-04-17	9.0.3	vulnerable_code_not_in_execute_path
high	CVE-2026-5598	SNYK-JAVA-ORGBOUNCYCASTLE-16074612	org.bouncycastle:bcprov-jdk18on	1.81	Timing Attack	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2025-14813	SNYK-JAVA-ORGBOUNCYCASTLE-16075266	org.bouncycastle:bcprov-jdk18on	1.81	Use of a Broken or Risky Cryptographic Algorithm	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551	com.fasterxml.jackson.core:jackson-core	2.20.0	Allocation of Resources Without Limits or Throttling	2026-04-04	9.1.3	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924	com.fasterxml.jackson.core:jackson-core	2.20.0	Allocation of Resources Without Limits or Throttling	2026-02-28	9.1.3	vulnerable_code_not_in_execute_path
high	CVE-2025-68280	SNYK-JAVA-ORGAPACHESISCORE-14874786	org.apache.sis.core:sis-metadata	1.4	XML External Entity (XXE) Injection	2026-01-05		vulnerable_code_not_in_execute_path
high	CVE-2021-23370	SNYK-JS-SWIPER-1088062	swiper	3.4.1	Prototype Pollution	2021-03-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42580	SNYK-JAVA-IONETTY-16438926	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42578	SNYK-JAVA-IONETTY-16438935	io.netty:netty-handler-proxy	4.2.6.Final	CRLF Injection	2026-05-07	9.0.2	vulnerable_code_not_in_execute_path
medium	CVE-2026-41417	SNYK-JAVA-IONETTY-16425695	io.netty:netty-codec-http	4.2.6.Final	HTTP Request Smuggling	2026-05-05	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-43869	SNYK-JAVA-ORGAPACHETHRIFT-16432027	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-05-05	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-41603	SNYK-JAVA-ORGAPACHETHRIFT-16323114	org.apache.thrift:libthrift	0.22.0	Improper Validation of Certificate with Host Mismatch	2026-04-28	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-42040	SNYK-JS-AXIOS-16298055	axios	1.12.2	Improper Encoding or Escaping of Output	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42038	SNYK-JS-AXIOS-16298095	axios	1.12.2	Server-side Request Forgery (SSRF)	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42034	SNYK-JS-AXIOS-16298130	axios	1.12.2	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42036	SNYK-JS-AXIOS-16298162	axios	1.12.2	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42042	SNYK-JS-AXIOS-16299478	axios	1.12.2	Insertion of Sensitive Information Into Sent Data	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42037	SNYK-JS-AXIOS-16299819	axios	1.12.2	CRLF Injection	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42041	SNYK-JS-AXIOS-16299925	axios	1.12.2	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22746	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121176	org.springframework.security:spring-security-core	6.5.5	Information Exposure	2026-04-22	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22748	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121448	org.springframework.security:spring-security-oauth2-jose	6.5.5	Insufficient Verification of Data Authenticity	2026-04-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22751	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16120313	org.springframework.security:spring-security-core	6.5.5	Time-of-check Time-of-use (TOCTOU) Race Condition	2026-04-21	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41238	SNYK-JS-DOMPURIFY-16132234	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22745	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109618	org.springframework:spring-core	6.2.11	Allocation of Resources Without Limits or Throttling	2026-04-17	9.0.3	vulnerable_code_not_in_execute_path
medium	CVE-2026-41240	SNYK-JS-DOMPURIFY-16078387	dompurify	3.2.6	Operator Precedence Logic Error	2026-04-16	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-0636	SNYK-JAVA-ORGBOUNCYCASTLE-16075254	org.bouncycastle:bcprov-jdk18on	1.81	LDAP Injection	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-62718	SNYK-JS-AXIOS-15965856	axios	1.12.2	Unintended Proxy or Intermediary ('Confused Deputy')	2026-04-09	9.2.0	component_not_present
medium	(none)	SNYK-JS-DOMPURIFY-15874903	dompurify	3.2.6	Prototype Pollution	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15874905	dompurify	3.2.6	Permissive List of Allowed Inputs	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15810938	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-03-27	9.1.3	vulnerable_code_not_in_execute_path
medium	CVE-2026-33532	SNYK-JS-YAML-15765520	yaml	1.10.2	Uncontrolled Recursion	2026-03-25	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-15599	SNYK-JS-DOMPURIFY-15371386	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-03-03	9.1.0	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-D3COLOR-1076592	d3-color	1.4.1	Regular Expression Denial of Service (ReDoS)	2021-02-18	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2026-41239	SNYK-JS-DOMPURIFY-16131135	dompurify	3.2.6	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2018-25050	SNYK-JS-CHOSENJS-3184933	chosen-js	1.6.2	Cross-site Scripting (XSS)	2022-12-29	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
low	CVE-2020-29582	SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744	org.jetbrains.kotlin:kotlin-stdlib	1.8.21	Information Exposure	2022-02-03		vulnerable_code_not_in_execute_path

8.5.3 (released 2026-05-07) — previous: 8.5.2

Affected (22)

The product is exposed and action should be taken.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Action statement
high	CVE-2026-42579	SNYK-JAVA-IONETTY-16438938	io.netty:netty-codec-dns	4.1.128.Final	Null Byte Interaction Error (Poison Null Byte)	2026-05-07	9.0.2	Upgrade to TopBraid EDG 9.0.2 or later.
high	CVE-2026-40895	SNYK-JS-FOLLOWREDIRECTS-16032162	follow-redirects	1.15.9	Improper Removal of Sensitive Information Before Storage or Transfer	2026-04-14	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-40175	SNYK-JS-AXIOS-15969258	axios	1.8.4	HTTP Response Splitting	2026-04-10	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-4800	SNYK-JS-LODASH-15869625	lodash	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-4800	SNYK-JS-LODASHES-15869627	lodash-es	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33870	SNYK-JAVA-IONETTY-15789756	io.netty:netty-codec-http	4.1.128.Final	HTTP Request Smuggling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33871	SNYK-JAVA-IONETTY-15789758	io.netty:netty-codec-http2	4.1.128.Final	Allocation of Resources Without Limits or Throttling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-25639	SNYK-JS-AXIOS-15252993	axios	1.8.4	Prototype Pollution	2026-02-09	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
high	CVE-2025-68470	SNYK-JS-REACTROUTER-14908286	react-router	7.6.0	Open Redirect	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
high	CVE-2026-22029	SNYK-JS-REACTROUTER-14908531	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
high	CVE-2025-55163	SNYK-JAVA-IOGRPC-13786834	io.grpc:grpc-netty-shaded	1.68.0	Allocation of Resources Without Limits or Throttling	2025-08-13	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-2950	SNYK-JS-LODASH-15869619	lodash	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-2950	SNYK-JS-LODASHES-15869621	lodash-es	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-0540	SNYK-JS-DOMPURIFY-15371376	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-03-03	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
medium	CVE-2025-13465	SNYK-JS-LODASH-15053838	lodash	4.17.21	Prototype Pollution	2026-01-21	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2025-13465	SNYK-JS-LODASHES-15053836	lodash-es	4.17.21	Prototype Pollution	2026-01-21	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2025-59057	SNYK-JS-REACTROUTER-14908289	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-21884	SNYK-JS-REACTROUTER-14908293	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-22030	SNYK-JS-REACTROUTER-14908429	react-router	7.6.0	Cross-site Request Forgery (CSRF)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2025-67735	SNYK-JAVA-IONETTY-14423947	io.netty:netty-codec-http	4.1.128.Final	CRLF Injection	2025-12-15	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-2327	SNYK-JS-MARKDOWNIT-10666750	markdown-it	14.1.0	Regular Expression Denial of Service (ReDoS)	2025-07-05	9.1.6	Upgrade to TopBraid EDG 9.1.6 or later.
medium	CVE-2025-6493	SNYK-JS-CODEMIRROR-10494092	codemirror	5.65.18	Regular Expression Denial of Service (ReDoS)	2025-06-22	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.

Not affected (54)

Component present in the product, but not exploitable.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Justification
critical	CVE-2026-42264	SNYK-JS-AXIOS-16417750	axios	1.8.4	Prototype Pollution	2026-05-05	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42035	SNYK-JS-AXIOS-16298058	axios	1.8.4	HTTP Response Splitting	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42033	SNYK-JS-AXIOS-16299904	axios	1.8.4	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-5588	SNYK-JAVA-ORGBOUNCYCASTLE-16075260	org.bouncycastle:bcpkix-jdk18on	1.81.1	Improper Verification of Cryptographic Signature	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
critical	CVE-2025-7783	SNYK-JS-FORMDATA-10841150	form-data	4.0.2	Predictable Value Range from Previous Values	2025-07-18	9.0.0	vulnerable_code_not_in_execute_path
critical	(none)	SNYK-JS-JQUERYFORM-574783	jquery-form	3.50.0	Cross-site Scripting (XSS)	2015-04-10	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42583	SNYK-JAVA-IONETTY-16438322	io.netty:netty-codec	4.1.128.Final	Allocation of Resources Without Limits or Throttling	2026-05-07	9.0.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42585	SNYK-JAVA-IONETTY-16438737	io.netty:netty-codec-http	4.1.128.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42584	SNYK-JAVA-IONETTY-16438923	io.netty:netty-codec-http	4.1.128.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438929	io.netty:netty-codec-http2	4.1.128.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438930	io.netty:netty-codec	4.1.128.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.0.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42581	SNYK-JAVA-IONETTY-16438934	io.netty:netty-codec-http	4.1.128.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42027	SNYK-JAVA-ORGAPACHEOPENNLP-16419373	org.apache.opennlp:opennlp-tools	2.5.4	Unsafe Reflection	2026-05-04	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-40682	SNYK-JAVA-ORGAPACHEOPENNLP-16419377	org.apache.opennlp:opennlp-tools	2.5.4	XML External Entity (XXE) Injection	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42440	SNYK-JAVA-ORGAPACHEOPENNLP-16535521	org.apache.opennlp:opennlp-tools	2.5.4	Memory Allocation with Excessive Size Value	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42044	SNYK-JS-AXIOS-16299921	axios	1.8.4	Improperly Controlled Modification of Dynamically-Determined Object Attributes	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42039	SNYK-JS-AXIOS-16299923	axios	1.8.4	Uncontrolled Recursion	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-5598	SNYK-JAVA-ORGBOUNCYCASTLE-16074612	org.bouncycastle:bcprov-jdk18on	1.80	Timing Attack	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2025-14813	SNYK-JAVA-ORGBOUNCYCASTLE-16075266	org.bouncycastle:bcprov-jdk18on	1.80	Use of a Broken or Risky Cryptographic Algorithm	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551	com.fasterxml.jackson.core:jackson-core	2.19.1	Allocation of Resources Without Limits or Throttling	2026-04-04	9.1.3	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924	com.fasterxml.jackson.core:jackson-core	2.19.1	Allocation of Resources Without Limits or Throttling	2026-02-28	9.1.3	vulnerable_code_not_in_execute_path
high	CVE-2025-68280	SNYK-JAVA-ORGAPACHESISCORE-14874786	org.apache.sis.core:sis-metadata	1.4	XML External Entity (XXE) Injection	2026-01-05		vulnerable_code_not_in_execute_path
high	CVE-2025-8671	SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCORE5-15857052	org.apache.httpcomponents.core5:httpcore5-h2	5.3.4	Denial of Service (DoS)	2025-08-13	9.0.0	vulnerable_code_not_in_execute_path
high	CVE-2021-23370	SNYK-JS-SWIPER-1088062	swiper	3.4.1	Prototype Pollution	2021-03-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42580	SNYK-JAVA-IONETTY-16438926	io.netty:netty-codec-http	4.1.128.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42578	SNYK-JAVA-IONETTY-16438935	io.netty:netty-handler-proxy	4.1.128.Final	CRLF Injection	2026-05-07	9.0.2	vulnerable_code_not_in_execute_path
medium	CVE-2026-41417	SNYK-JAVA-IONETTY-16425695	io.netty:netty-codec-http	4.1.128.Final	HTTP Request Smuggling	2026-05-05	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-43869	SNYK-JAVA-ORGAPACHETHRIFT-16432027	org.apache.thrift:libthrift	0.21.0	Improper Validation of Certificate with Host Mismatch	2026-05-05	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-41603	SNYK-JAVA-ORGAPACHETHRIFT-16323114	org.apache.thrift:libthrift	0.21.0	Improper Validation of Certificate with Host Mismatch	2026-04-28	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-42040	SNYK-JS-AXIOS-16298055	axios	1.8.4	Improper Encoding or Escaping of Output	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42038	SNYK-JS-AXIOS-16298095	axios	1.8.4	Server-side Request Forgery (SSRF)	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42034	SNYK-JS-AXIOS-16298130	axios	1.8.4	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42036	SNYK-JS-AXIOS-16298162	axios	1.8.4	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42042	SNYK-JS-AXIOS-16299478	axios	1.8.4	Insertion of Sensitive Information Into Sent Data	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42037	SNYK-JS-AXIOS-16299819	axios	1.8.4	CRLF Injection	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42041	SNYK-JS-AXIOS-16299925	axios	1.8.4	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22746	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121176	org.springframework.security:spring-security-core	6.5.9	Information Exposure	2026-04-22	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22748	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121448	org.springframework.security:spring-security-oauth2-jose	6.5.9	Insufficient Verification of Data Authenticity	2026-04-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22751	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16120313	org.springframework.security:spring-security-core	6.5.9	Time-of-check Time-of-use (TOCTOU) Race Condition	2026-04-21	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41238	SNYK-JS-DOMPURIFY-16132234	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41240	SNYK-JS-DOMPURIFY-16078387	dompurify	3.2.5	Operator Precedence Logic Error	2026-04-16	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-0636	SNYK-JAVA-ORGBOUNCYCASTLE-16075254	org.bouncycastle:bcprov-jdk18on	1.80	LDAP Injection	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-62718	SNYK-JS-AXIOS-15965856	axios	1.8.4	Unintended Proxy or Intermediary ('Confused Deputy')	2026-04-09	9.2.0	component_not_present
medium	(none)	SNYK-JS-DOMPURIFY-15874903	dompurify	3.2.5	Prototype Pollution	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15874905	dompurify	3.2.5	Permissive List of Allowed Inputs	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15810938	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-03-27	9.1.3	vulnerable_code_not_in_execute_path
medium	CVE-2026-33532	SNYK-JS-YAML-15765520	yaml	1.10.2	Uncontrolled Recursion	2026-03-25	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-15599	SNYK-JS-DOMPURIFY-15371386	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-03-03	9.1.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-58754	SNYK-JS-AXIOS-12613773	axios	1.8.4	Allocation of Resources Without Limits or Throttling	2025-09-10	9.0.0	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-D3COLOR-1076592	d3-color	1.4.1	Regular Expression Denial of Service (ReDoS)	2021-02-18	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2026-41239	SNYK-JS-DOMPURIFY-16131135	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2025-22227	SNYK-JAVA-IOPROJECTREACTORNETTY-10770514	io.projectreactor.netty:reactor-netty-http	1.0.48	Exposure of Sensitive System Information to an Unauthorized Control Sphere	2025-07-15	9.0.0	vulnerable_code_not_in_execute_path
low	CVE-2018-25050	SNYK-JS-CHOSENJS-3184933	chosen-js	1.6.2	Cross-site Scripting (XSS)	2022-12-29	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
low	CVE-2020-29582	SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744	org.jetbrains.kotlin:kotlin-stdlib	1.8.21	Information Exposure	2022-02-03		vulnerable_code_not_in_execute_path

Fixed (8)

Previous release was affected, but this one is not.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed
critical	CVE-2026-22732	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-15701796	org.springframework.security:spring-security-web	6.5.5	Use of Cache Containing Sensitive Information	2026-03-20
high	CVE-2026-34478	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967739	org.apache.logging.log4j:log4j-core	2.24.3	Improper Output Neutralization for Logs	2026-04-10
high	CVE-2026-34480	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967769	org.apache.logging.log4j:log4j-core	2.24.3	Improper Encoding or Escaping of Output	2026-04-10
high	CVE-2026-34479	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967804	org.apache.logging.log4j:log4j-core	2.24.3	Improper Encoding or Escaping of Output	2026-04-10
high	CVE-2024-22363	SNYK-JS-XLSX-6252523	xlsx	0.20.3	Regular Expression Denial of Service (ReDoS)	2024-02-18
medium	CVE-2026-34477	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967727	org.apache.logging.log4j:log4j-core	2.24.3	Improper Validation of Certificate with Host Mismatch	2026-04-10
medium	CVE-2025-68161	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782	org.apache.logging.log4j:log4j-core	2.24.3	Improper Validation of Certificate with Host Mismatch	2025-12-18
low	CVE-2026-22735	SNYK-JAVA-ORGSPRINGFRAMEWORK-15701755	org.springframework:spring-web	6.2.11	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	2026-03-19

8.5.2 (released 2025-12-09) — previous: 8.5.1

Affected (30)

The product is exposed and action should be taken.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Action statement
critical	CVE-2026-22732	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-15701796	org.springframework.security:spring-security-web	6.5.5	Use of Cache Containing Sensitive Information	2026-03-20	8.5.3	Upgrade to TopBraid EDG 8.5.3, 9.0.3, 9.1.3, or later, when available.
high	CVE-2026-42579	SNYK-JAVA-IONETTY-16438938	io.netty:netty-codec-dns	4.1.128.Final	Null Byte Interaction Error (Poison Null Byte)	2026-05-07	9.0.2	Upgrade to TopBraid EDG 9.0.2 or later.
high	CVE-2026-40895	SNYK-JS-FOLLOWREDIRECTS-16032162	follow-redirects	1.15.9	Improper Removal of Sensitive Information Before Storage or Transfer	2026-04-14	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-34478	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967739	org.apache.logging.log4j:log4j-core	2.24.3	Improper Output Neutralization for Logs	2026-04-10	8.5.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Rfc5424Layout with a stream-based syslog appender should reconfigure to avoid Rfc5424Layout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34480	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967769	org.apache.logging.log4j:log4j-core	2.24.3	Improper Encoding or Escaping of Output	2026-04-10	8.5.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use XmlLayout should reconfigure to avoid XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34479	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967804	org.apache.logging.log4j:log4j-core	2.24.3	Improper Encoding or Escaping of Output	2026-04-10	8.5.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Log4j1XmlLayout should reconfigure to avoid Log4j1XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-40175	SNYK-JS-AXIOS-15969258	axios	1.8.4	HTTP Response Splitting	2026-04-10	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-4800	SNYK-JS-LODASH-15869625	lodash	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-4800	SNYK-JS-LODASHES-15869627	lodash-es	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33870	SNYK-JAVA-IONETTY-15789756	io.netty:netty-codec-http	4.1.128.Final	HTTP Request Smuggling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33871	SNYK-JAVA-IONETTY-15789758	io.netty:netty-codec-http2	4.1.128.Final	Allocation of Resources Without Limits or Throttling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-25639	SNYK-JS-AXIOS-15252993	axios	1.8.4	Prototype Pollution	2026-02-09	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
high	CVE-2025-68470	SNYK-JS-REACTROUTER-14908286	react-router	7.6.0	Open Redirect	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
high	CVE-2026-22029	SNYK-JS-REACTROUTER-14908531	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
high	CVE-2025-55163	SNYK-JAVA-IOGRPC-13786834	io.grpc:grpc-netty-shaded	1.68.0	Allocation of Resources Without Limits or Throttling	2025-08-13	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
high	CVE-2024-22363	SNYK-JS-XLSX-6252523	xlsx	0.20.3	Regular Expression Denial of Service (ReDoS)	2024-02-18	8.5.3	Upgrade to TopBraid EDG 8.5.3 or later.
medium	CVE-2026-34477	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967727	org.apache.logging.log4j:log4j-core	2.24.3	Improper Validation of Certificate with Host Mismatch	2026-04-10	8.5.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use SocketAppender, SmtpAppender, or SyslogAppender with TLS should reconfigure to avoid those appenders, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
medium	CVE-2026-2950	SNYK-JS-LODASH-15869619	lodash	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-2950	SNYK-JS-LODASHES-15869621	lodash-es	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-0540	SNYK-JS-DOMPURIFY-15371376	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-03-03	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
medium	CVE-2025-13465	SNYK-JS-LODASH-15053838	lodash	4.17.21	Prototype Pollution	2026-01-21	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2025-13465	SNYK-JS-LODASHES-15053836	lodash-es	4.17.21	Prototype Pollution	2026-01-21	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2025-59057	SNYK-JS-REACTROUTER-14908289	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-21884	SNYK-JS-REACTROUTER-14908293	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-22030	SNYK-JS-REACTROUTER-14908429	react-router	7.6.0	Cross-site Request Forgery (CSRF)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2025-68161	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782	org.apache.logging.log4j:log4j-core	2.24.3	Improper Validation of Certificate with Host Mismatch	2025-12-18	8.5.3	Upgrade to TopBraid EDG 8.5.3 or later.
medium	CVE-2025-67735	SNYK-JAVA-IONETTY-14423947	io.netty:netty-codec-http	4.1.128.Final	CRLF Injection	2025-12-15	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-2327	SNYK-JS-MARKDOWNIT-10666750	markdown-it	14.1.0	Regular Expression Denial of Service (ReDoS)	2025-07-05	9.1.6	Upgrade to TopBraid EDG 9.1.6 or later.
medium	CVE-2025-6493	SNYK-JS-CODEMIRROR-10494092	codemirror	5.65.18	Regular Expression Denial of Service (ReDoS)	2025-06-22	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
low	CVE-2026-22735	SNYK-JAVA-ORGSPRINGFRAMEWORK-15701755	org.springframework:spring-web	6.2.11	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	2026-03-19	8.5.3	Upgrade to TopBraid EDG 8.5.3 or later.

Not affected (56)

Component present in the product, but not exploitable.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Justification
critical	CVE-2026-42264	SNYK-JS-AXIOS-16417750	axios	1.8.4	Prototype Pollution	2026-05-05	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42035	SNYK-JS-AXIOS-16298058	axios	1.8.4	HTTP Response Splitting	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42033	SNYK-JS-AXIOS-16299904	axios	1.8.4	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-5588	SNYK-JAVA-ORGBOUNCYCASTLE-16075260	org.bouncycastle:bcpkix-jdk18on	1.81.1	Improper Verification of Cryptographic Signature	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
critical	CVE-2025-7783	SNYK-JS-FORMDATA-10841150	form-data	4.0.2	Predictable Value Range from Previous Values	2025-07-18	9.0.0	vulnerable_code_not_in_execute_path
critical	(none)	SNYK-JS-JQUERYFORM-574783	jquery-form	3.50.0	Cross-site Scripting (XSS)	2015-04-10	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42583	SNYK-JAVA-IONETTY-16438322	io.netty:netty-codec	4.1.128.Final	Allocation of Resources Without Limits or Throttling	2026-05-07	9.0.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42585	SNYK-JAVA-IONETTY-16438737	io.netty:netty-codec-http	4.1.128.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42584	SNYK-JAVA-IONETTY-16438923	io.netty:netty-codec-http	4.1.128.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438929	io.netty:netty-codec-http2	4.1.128.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438930	io.netty:netty-codec	4.1.128.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.0.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42581	SNYK-JAVA-IONETTY-16438934	io.netty:netty-codec-http	4.1.128.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42027	SNYK-JAVA-ORGAPACHEOPENNLP-16419373	org.apache.opennlp:opennlp-tools	2.5.4	Unsafe Reflection	2026-05-04	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-40682	SNYK-JAVA-ORGAPACHEOPENNLP-16419377	org.apache.opennlp:opennlp-tools	2.5.4	XML External Entity (XXE) Injection	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42440	SNYK-JAVA-ORGAPACHEOPENNLP-16535521	org.apache.opennlp:opennlp-tools	2.5.4	Memory Allocation with Excessive Size Value	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42044	SNYK-JS-AXIOS-16299921	axios	1.8.4	Improperly Controlled Modification of Dynamically-Determined Object Attributes	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42039	SNYK-JS-AXIOS-16299923	axios	1.8.4	Uncontrolled Recursion	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-22740	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109615	org.springframework:spring-web	6.2.11	Incomplete Cleanup	2026-04-17	8.5.3	vulnerable_code_not_in_execute_path
high	CVE-2026-5598	SNYK-JAVA-ORGBOUNCYCASTLE-16074612	org.bouncycastle:bcprov-jdk18on	1.80	Timing Attack	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2025-14813	SNYK-JAVA-ORGBOUNCYCASTLE-16075266	org.bouncycastle:bcprov-jdk18on	1.80	Use of a Broken or Risky Cryptographic Algorithm	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551	com.fasterxml.jackson.core:jackson-core	2.19.1	Allocation of Resources Without Limits or Throttling	2026-04-04	9.1.3	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924	com.fasterxml.jackson.core:jackson-core	2.19.1	Allocation of Resources Without Limits or Throttling	2026-02-28	9.1.3	vulnerable_code_not_in_execute_path
high	CVE-2025-68280	SNYK-JAVA-ORGAPACHESISCORE-14874786	org.apache.sis.core:sis-metadata	1.4	XML External Entity (XXE) Injection	2026-01-05		vulnerable_code_not_in_execute_path
high	CVE-2025-8671	SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCORE5-15857052	org.apache.httpcomponents.core5:httpcore5-h2	5.3.4	Denial of Service (DoS)	2025-08-13	9.0.0	vulnerable_code_not_in_execute_path
high	CVE-2021-23370	SNYK-JS-SWIPER-1088062	swiper	3.4.1	Prototype Pollution	2021-03-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42580	SNYK-JAVA-IONETTY-16438926	io.netty:netty-codec-http	4.1.128.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42578	SNYK-JAVA-IONETTY-16438935	io.netty:netty-handler-proxy	4.1.128.Final	CRLF Injection	2026-05-07	9.0.2	vulnerable_code_not_in_execute_path
medium	CVE-2026-41417	SNYK-JAVA-IONETTY-16425695	io.netty:netty-codec-http	4.1.128.Final	HTTP Request Smuggling	2026-05-05	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-43869	SNYK-JAVA-ORGAPACHETHRIFT-16432027	org.apache.thrift:libthrift	0.21.0	Improper Validation of Certificate with Host Mismatch	2026-05-05	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-41603	SNYK-JAVA-ORGAPACHETHRIFT-16323114	org.apache.thrift:libthrift	0.21.0	Improper Validation of Certificate with Host Mismatch	2026-04-28	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-42040	SNYK-JS-AXIOS-16298055	axios	1.8.4	Improper Encoding or Escaping of Output	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42038	SNYK-JS-AXIOS-16298095	axios	1.8.4	Server-side Request Forgery (SSRF)	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42034	SNYK-JS-AXIOS-16298130	axios	1.8.4	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42036	SNYK-JS-AXIOS-16298162	axios	1.8.4	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42042	SNYK-JS-AXIOS-16299478	axios	1.8.4	Insertion of Sensitive Information Into Sent Data	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42037	SNYK-JS-AXIOS-16299819	axios	1.8.4	CRLF Injection	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42041	SNYK-JS-AXIOS-16299925	axios	1.8.4	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22746	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121176	org.springframework.security:spring-security-core	6.5.5	Information Exposure	2026-04-22	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22748	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121448	org.springframework.security:spring-security-oauth2-jose	6.5.5	Insufficient Verification of Data Authenticity	2026-04-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22751	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16120313	org.springframework.security:spring-security-core	6.5.5	Time-of-check Time-of-use (TOCTOU) Race Condition	2026-04-21	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41238	SNYK-JS-DOMPURIFY-16132234	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22745	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109618	org.springframework:spring-core	6.2.11	Allocation of Resources Without Limits or Throttling	2026-04-17	8.5.3	vulnerable_code_not_in_execute_path
medium	CVE-2026-41240	SNYK-JS-DOMPURIFY-16078387	dompurify	3.2.5	Operator Precedence Logic Error	2026-04-16	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-0636	SNYK-JAVA-ORGBOUNCYCASTLE-16075254	org.bouncycastle:bcprov-jdk18on	1.80	LDAP Injection	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-62718	SNYK-JS-AXIOS-15965856	axios	1.8.4	Unintended Proxy or Intermediary ('Confused Deputy')	2026-04-09	9.2.0	component_not_present
medium	(none)	SNYK-JS-DOMPURIFY-15874903	dompurify	3.2.5	Prototype Pollution	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15874905	dompurify	3.2.5	Permissive List of Allowed Inputs	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15810938	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-03-27	9.1.3	vulnerable_code_not_in_execute_path
medium	CVE-2026-33532	SNYK-JS-YAML-15765520	yaml	1.10.2	Uncontrolled Recursion	2026-03-25	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-15599	SNYK-JS-DOMPURIFY-15371386	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-03-03	9.1.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-58754	SNYK-JS-AXIOS-12613773	axios	1.8.4	Allocation of Resources Without Limits or Throttling	2025-09-10	9.0.0	vulnerable_code_not_in_execute_path
medium	CVE-2023-30533	SNYK-JS-XLSX-5457926	xlsx	0.20.3	Prototype Pollution	2023-04-24	8.5.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-D3COLOR-1076592	d3-color	1.4.1	Regular Expression Denial of Service (ReDoS)	2021-02-18	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2026-41239	SNYK-JS-DOMPURIFY-16131135	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2025-22227	SNYK-JAVA-IOPROJECTREACTORNETTY-10770514	io.projectreactor.netty:reactor-netty-http	1.0.48	Exposure of Sensitive System Information to an Unauthorized Control Sphere	2025-07-15	9.0.0	vulnerable_code_not_in_execute_path
low	CVE-2018-25050	SNYK-JS-CHOSENJS-3184933	chosen-js	1.6.2	Cross-site Scripting (XSS)	2022-12-29	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary

Fixed (9)

Previous release was affected, but this one is not.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed
high	CVE-2025-41249	SNYK-JAVA-ORGSPRINGFRAMEWORK-12817817	org.springframework:spring-core	6.2.8	Incorrect Authorization	2025-09-16
high	CVE-2025-58056	SNYK-JAVA-IONETTY-12485149	io.netty:netty-codec-http	4.1.118.Final	HTTP Request Smuggling	2025-09-03
high	CVE-2025-58057	SNYK-JAVA-IONETTY-12485150	io.netty:netty-codec-http	4.1.118.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2025-09-03
high	CVE-2025-58057	SNYK-JAVA-IONETTY-12485151	io.netty:netty-codec-http2	4.1.118.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2025-09-03
high	CVE-2025-54988	SNYK-JAVA-ORGAPACHETIKA-12238980	org.apache.tika:tika-parser-pdf-module	3.2.0	XML External Entity (XXE) Injection	2025-08-20
high	CVE-2025-54988	SNYK-JAVA-ORGAPACHETIKA-14188255	org.apache.tika:tika-core	3.2.0	XML External Entity (XXE) Injection	2025-08-20
high	CVE-2025-41242	SNYK-JAVA-ORGSPRINGFRAMEWORK-12008931	org.springframework:spring-beans	6.2.8	Relative Path Traversal	2025-08-14
high	CVE-2025-55163	SNYK-JAVA-IONETTY-11799531	io.netty:netty-codec-http2	4.1.118.Final	Allocation of Resources Without Limits or Throttling	2025-08-13
medium	CVE-2025-7962	SNYK-JAVA-ORGECLIPSEANGUS-12239873	org.eclipse.angus:angus-mail	2.0.3	Improper Neutralization	2025-07-21

8.5.1 (released 2025-08-26) — previous: 8.5.0

Affected (38)

The product is exposed and action should be taken.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Action statement
critical	CVE-2026-22732	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-15701796	org.springframework.security:spring-security-web	6.5.1	Use of Cache Containing Sensitive Information	2026-03-20	8.5.3	Upgrade to TopBraid EDG 8.5.3, 9.0.3, 9.1.3, or later, when available.
high	CVE-2026-42579	SNYK-JAVA-IONETTY-16438938	io.netty:netty-codec-dns	4.1.112.Final	Null Byte Interaction Error (Poison Null Byte)	2026-05-07	9.0.2	Upgrade to TopBraid EDG 9.0.2 or later.
high	CVE-2026-40895	SNYK-JS-FOLLOWREDIRECTS-16032162	follow-redirects	1.15.9	Improper Removal of Sensitive Information Before Storage or Transfer	2026-04-14	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-34478	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967739	org.apache.logging.log4j:log4j-core	2.24.3	Improper Output Neutralization for Logs	2026-04-10	8.5.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Rfc5424Layout with a stream-based syslog appender should reconfigure to avoid Rfc5424Layout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34480	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967769	org.apache.logging.log4j:log4j-core	2.24.3	Improper Encoding or Escaping of Output	2026-04-10	8.5.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use XmlLayout should reconfigure to avoid XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34479	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967804	org.apache.logging.log4j:log4j-core	2.24.3	Improper Encoding or Escaping of Output	2026-04-10	8.5.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Log4j1XmlLayout should reconfigure to avoid Log4j1XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-40175	SNYK-JS-AXIOS-15969258	axios	1.8.4	HTTP Response Splitting	2026-04-10	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-4800	SNYK-JS-LODASH-15869625	lodash	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-4800	SNYK-JS-LODASHES-15869627	lodash-es	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33870	SNYK-JAVA-IONETTY-15789756	io.netty:netty-codec-http	4.1.118.Final	HTTP Request Smuggling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33871	SNYK-JAVA-IONETTY-15789758	io.netty:netty-codec-http2	4.1.118.Final	Allocation of Resources Without Limits or Throttling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-25639	SNYK-JS-AXIOS-15252993	axios	1.8.4	Prototype Pollution	2026-02-09	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
high	CVE-2025-68470	SNYK-JS-REACTROUTER-14908286	react-router	7.6.0	Open Redirect	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
high	CVE-2026-22029	SNYK-JS-REACTROUTER-14908531	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
high	CVE-2025-41249	SNYK-JAVA-ORGSPRINGFRAMEWORK-12817817	org.springframework:spring-core	6.2.8	Incorrect Authorization	2025-09-16	8.5.2	Upgrade to TopBraid EDG 8.5.2 or later.
high	CVE-2025-58056	SNYK-JAVA-IONETTY-12485149	io.netty:netty-codec-http	4.1.118.Final	HTTP Request Smuggling	2025-09-03	8.5.2	Upgrade to TopBraid EDG 8.5.2 or later.
high	CVE-2025-58057	SNYK-JAVA-IONETTY-12485150	io.netty:netty-codec-http	4.1.118.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2025-09-03	8.5.2	Upgrade to TopBraid EDG 8.5.2 or later.
high	CVE-2025-58057	SNYK-JAVA-IONETTY-12485151	io.netty:netty-codec-http2	4.1.118.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2025-09-03	8.5.2	Upgrade to TopBraid EDG 8.5.2 or later.
high	CVE-2025-54988	SNYK-JAVA-ORGAPACHETIKA-12238980	org.apache.tika:tika-parser-pdf-module	3.2.0	XML External Entity (XXE) Injection	2025-08-20	8.5.2	Upgrade to TopBraid EDG 8.5.2 or later.
high	CVE-2025-54988	SNYK-JAVA-ORGAPACHETIKA-14188255	org.apache.tika:tika-core	3.2.0	XML External Entity (XXE) Injection	2025-08-20	8.5.2	Upgrade to TopBraid EDG 8.5.2 or later.
high	CVE-2025-41242	SNYK-JAVA-ORGSPRINGFRAMEWORK-12008931	org.springframework:spring-beans	6.2.8	Relative Path Traversal	2025-08-14	8.5.2	Upgrade to TopBraid EDG 8.5.2 or later.
high	CVE-2025-55163	SNYK-JAVA-IOGRPC-13786834	io.grpc:grpc-netty-shaded	1.68.0	Allocation of Resources Without Limits or Throttling	2025-08-13	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
high	CVE-2025-55163	SNYK-JAVA-IONETTY-11799531	io.netty:netty-codec-http2	4.1.118.Final	Allocation of Resources Without Limits or Throttling	2025-08-13	8.5.2	Upgrade to TopBraid EDG 8.5.2 or later.
medium	CVE-2026-34477	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967727	org.apache.logging.log4j:log4j-core	2.24.3	Improper Validation of Certificate with Host Mismatch	2026-04-10	8.5.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use SocketAppender, SmtpAppender, or SyslogAppender with TLS should reconfigure to avoid those appenders, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
medium	CVE-2026-2950	SNYK-JS-LODASH-15869619	lodash	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-2950	SNYK-JS-LODASHES-15869621	lodash-es	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-0540	SNYK-JS-DOMPURIFY-15371376	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-03-03	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
medium	CVE-2025-13465	SNYK-JS-LODASH-15053838	lodash	4.17.21	Prototype Pollution	2026-01-21	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2025-13465	SNYK-JS-LODASHES-15053836	lodash-es	4.17.21	Prototype Pollution	2026-01-21	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2025-59057	SNYK-JS-REACTROUTER-14908289	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-21884	SNYK-JS-REACTROUTER-14908293	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-22030	SNYK-JS-REACTROUTER-14908429	react-router	7.6.0	Cross-site Request Forgery (CSRF)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2025-68161	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782	org.apache.logging.log4j:log4j-core	2.24.3	Improper Validation of Certificate with Host Mismatch	2025-12-18	8.5.3	Upgrade to TopBraid EDG 8.5.3 or later.
medium	CVE-2025-67735	SNYK-JAVA-IONETTY-14423947	io.netty:netty-codec-http	4.1.118.Final	CRLF Injection	2025-12-15	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2025-7962	SNYK-JAVA-ORGECLIPSEANGUS-12239873	org.eclipse.angus:angus-mail	2.0.3	Improper Neutralization	2025-07-21	8.5.2	Upgrade to TopBraid EDG 8.5.2 or later.
medium	CVE-2026-2327	SNYK-JS-MARKDOWNIT-10666750	markdown-it	14.1.0	Regular Expression Denial of Service (ReDoS)	2025-07-05	9.1.6	Upgrade to TopBraid EDG 9.1.6 or later.
medium	CVE-2025-6493	SNYK-JS-CODEMIRROR-10494092	codemirror	5.65.18	Regular Expression Denial of Service (ReDoS)	2025-06-22	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
low	CVE-2026-22735	SNYK-JAVA-ORGSPRINGFRAMEWORK-15701755	org.springframework:spring-web	6.2.8	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	2026-03-19	8.5.3	Upgrade to TopBraid EDG 8.5.3 or later.

Not affected (58)

Component present in the product, but not exploitable.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Justification
critical	CVE-2026-42264	SNYK-JS-AXIOS-16417750	axios	1.8.4	Prototype Pollution	2026-05-05	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42035	SNYK-JS-AXIOS-16298058	axios	1.8.4	HTTP Response Splitting	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42033	SNYK-JS-AXIOS-16299904	axios	1.8.4	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-5588	SNYK-JAVA-ORGBOUNCYCASTLE-16075260	org.bouncycastle:bcpkix-jdk18on	1.80.2	Improper Verification of Cryptographic Signature	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
critical	CVE-2025-7783	SNYK-JS-FORMDATA-10841150	form-data	4.0.2	Predictable Value Range from Previous Values	2025-07-18	9.0.0	vulnerable_code_not_in_execute_path
critical	(none)	SNYK-JS-JQUERYFORM-574783	jquery-form	3.50.0	Cross-site Scripting (XSS)	2015-04-10	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42583	SNYK-JAVA-IONETTY-16438322	io.netty:netty-codec	4.1.118.Final	Allocation of Resources Without Limits or Throttling	2026-05-07	9.0.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42585	SNYK-JAVA-IONETTY-16438737	io.netty:netty-codec-http	4.1.118.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42584	SNYK-JAVA-IONETTY-16438923	io.netty:netty-codec-http	4.1.118.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438929	io.netty:netty-codec-http2	4.1.118.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438930	io.netty:netty-codec	4.1.118.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.0.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42581	SNYK-JAVA-IONETTY-16438934	io.netty:netty-codec-http	4.1.118.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42027	SNYK-JAVA-ORGAPACHEOPENNLP-16419373	org.apache.opennlp:opennlp-tools	2.5.4	Unsafe Reflection	2026-05-04	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-40682	SNYK-JAVA-ORGAPACHEOPENNLP-16419377	org.apache.opennlp:opennlp-tools	2.5.4	XML External Entity (XXE) Injection	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42440	SNYK-JAVA-ORGAPACHEOPENNLP-16535521	org.apache.opennlp:opennlp-tools	2.5.4	Memory Allocation with Excessive Size Value	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42044	SNYK-JS-AXIOS-16299921	axios	1.8.4	Improperly Controlled Modification of Dynamically-Determined Object Attributes	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42039	SNYK-JS-AXIOS-16299923	axios	1.8.4	Uncontrolled Recursion	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-22740	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109615	org.springframework:spring-web	6.2.8	Incomplete Cleanup	2026-04-17	8.5.3	vulnerable_code_not_in_execute_path
high	CVE-2026-5598	SNYK-JAVA-ORGBOUNCYCASTLE-16074612	org.bouncycastle:bcprov-jdk18on	1.80	Timing Attack	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2025-14813	SNYK-JAVA-ORGBOUNCYCASTLE-16075266	org.bouncycastle:bcprov-jdk18on	1.80	Use of a Broken or Risky Cryptographic Algorithm	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551	com.fasterxml.jackson.core:jackson-core	2.19.1	Allocation of Resources Without Limits or Throttling	2026-04-04	9.1.3	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924	com.fasterxml.jackson.core:jackson-core	2.19.1	Allocation of Resources Without Limits or Throttling	2026-02-28	9.1.3	vulnerable_code_not_in_execute_path
high	CVE-2025-68280	SNYK-JAVA-ORGAPACHESISCORE-14874786	org.apache.sis.core:sis-metadata	1.4	XML External Entity (XXE) Injection	2026-01-05		vulnerable_code_not_in_execute_path
high	CVE-2025-41248	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-12817818	org.springframework.security:spring-security-core	6.5.1	Incorrect Authorization	2025-09-16	8.5.2	vulnerable_code_not_in_execute_path
high	CVE-2025-8671	SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCORE5-15857052	org.apache.httpcomponents.core5:httpcore5-h2	5.3.4	Denial of Service (DoS)	2025-08-13	9.0.0	vulnerable_code_not_in_execute_path
high	CVE-2021-23370	SNYK-JS-SWIPER-1088062	swiper	3.4.1	Prototype Pollution	2021-03-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42580	SNYK-JAVA-IONETTY-16438926	io.netty:netty-codec-http	4.1.118.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42578	SNYK-JAVA-IONETTY-16438935	io.netty:netty-handler-proxy	4.1.118.Final	CRLF Injection	2026-05-07	9.0.2	vulnerable_code_not_in_execute_path
medium	CVE-2026-41417	SNYK-JAVA-IONETTY-16425695	io.netty:netty-codec-http	4.1.118.Final	HTTP Request Smuggling	2026-05-05	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-43869	SNYK-JAVA-ORGAPACHETHRIFT-16432027	org.apache.thrift:libthrift	0.21.0	Improper Validation of Certificate with Host Mismatch	2026-05-05	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-41603	SNYK-JAVA-ORGAPACHETHRIFT-16323114	org.apache.thrift:libthrift	0.21.0	Improper Validation of Certificate with Host Mismatch	2026-04-28	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-42040	SNYK-JS-AXIOS-16298055	axios	1.8.4	Improper Encoding or Escaping of Output	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42038	SNYK-JS-AXIOS-16298095	axios	1.8.4	Server-side Request Forgery (SSRF)	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42034	SNYK-JS-AXIOS-16298130	axios	1.8.4	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42036	SNYK-JS-AXIOS-16298162	axios	1.8.4	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42042	SNYK-JS-AXIOS-16299478	axios	1.8.4	Insertion of Sensitive Information Into Sent Data	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42037	SNYK-JS-AXIOS-16299819	axios	1.8.4	CRLF Injection	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42041	SNYK-JS-AXIOS-16299925	axios	1.8.4	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22746	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121176	org.springframework.security:spring-security-core	6.5.1	Information Exposure	2026-04-22	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22748	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121448	org.springframework.security:spring-security-oauth2-jose	6.5.1	Insufficient Verification of Data Authenticity	2026-04-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22751	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16120313	org.springframework.security:spring-security-core	6.5.1	Time-of-check Time-of-use (TOCTOU) Race Condition	2026-04-21	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41238	SNYK-JS-DOMPURIFY-16132234	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22745	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109618	org.springframework:spring-core	6.2.8	Allocation of Resources Without Limits or Throttling	2026-04-17	8.5.3	vulnerable_code_not_in_execute_path
medium	CVE-2026-41240	SNYK-JS-DOMPURIFY-16078387	dompurify	3.2.5	Operator Precedence Logic Error	2026-04-16	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-0636	SNYK-JAVA-ORGBOUNCYCASTLE-16075254	org.bouncycastle:bcprov-jdk18on	1.80	LDAP Injection	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-62718	SNYK-JS-AXIOS-15965856	axios	1.8.4	Unintended Proxy or Intermediary ('Confused Deputy')	2026-04-09	9.2.0	component_not_present
medium	(none)	SNYK-JS-DOMPURIFY-15874903	dompurify	3.2.5	Prototype Pollution	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15874905	dompurify	3.2.5	Permissive List of Allowed Inputs	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15810938	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-03-27	9.1.3	vulnerable_code_not_in_execute_path
medium	CVE-2026-33532	SNYK-JS-YAML-15765520	yaml	1.10.2	Uncontrolled Recursion	2026-03-25	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-15599	SNYK-JS-DOMPURIFY-15371386	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-03-03	9.1.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-58754	SNYK-JS-AXIOS-12613773	axios	1.8.4	Allocation of Resources Without Limits or Throttling	2025-09-10	9.0.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-53864	SNYK-JAVA-COMNIMBUSDS-10691768	com.nimbusds:nimbus-jose-jwt	9.37.3	Uncontrolled Recursion	2025-07-11	8.5.2	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-D3COLOR-1076592	d3-color	1.4.1	Regular Expression Denial of Service (ReDoS)	2021-02-18	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2026-41239	SNYK-JS-DOMPURIFY-16131135	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2025-22227	SNYK-JAVA-IOPROJECTREACTORNETTY-10770514	io.projectreactor.netty:reactor-netty-http	1.0.48	Exposure of Sensitive System Information to an Unauthorized Control Sphere	2025-07-15	9.0.0	vulnerable_code_not_in_execute_path
low	CVE-2018-25050	SNYK-JS-CHOSENJS-3184933	chosen-js	1.6.2	Cross-site Scripting (XSS)	2022-12-29	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
low	CVE-2020-29582	SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744	org.jetbrains.kotlin:kotlin-stdlib	1.8.21	Information Exposure	2022-02-03	8.5.2	vulnerable_code_not_in_execute_path

Fixed (1)

Previous release was affected, but this one is not.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed
high	CVE-2024-22363	SNYK-JS-XLSX-6252523	xlsx	0.20.3	Regular Expression Denial of Service (ReDoS)	2024-02-18

8.5.0 (released 2025-08-05) — previous: 8.4.3

Affected (39)

The product is exposed and action should be taken.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Action statement
critical	CVE-2026-22732	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-15701796	org.springframework.security:spring-security-web	6.5.1	Use of Cache Containing Sensitive Information	2026-03-20	8.5.3	Upgrade to TopBraid EDG 8.5.3, 9.0.3, 9.1.3, or later, when available.
high	CVE-2026-42579	SNYK-JAVA-IONETTY-16438938	io.netty:netty-codec-dns	4.1.112.Final	Null Byte Interaction Error (Poison Null Byte)	2026-05-07	9.0.2	Upgrade to TopBraid EDG 9.0.2 or later.
high	CVE-2026-40895	SNYK-JS-FOLLOWREDIRECTS-16032162	follow-redirects	1.15.9	Improper Removal of Sensitive Information Before Storage or Transfer	2026-04-14	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-34478	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967739	org.apache.logging.log4j:log4j-core	2.24.3	Improper Output Neutralization for Logs	2026-04-10	8.5.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Rfc5424Layout with a stream-based syslog appender should reconfigure to avoid Rfc5424Layout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34480	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967769	org.apache.logging.log4j:log4j-core	2.24.3	Improper Encoding or Escaping of Output	2026-04-10	8.5.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use XmlLayout should reconfigure to avoid XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-34479	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967804	org.apache.logging.log4j:log4j-core	2.24.3	Improper Encoding or Escaping of Output	2026-04-10	8.5.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use Log4j1XmlLayout should reconfigure to avoid Log4j1XmlLayout, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
high	CVE-2026-40175	SNYK-JS-AXIOS-15969258	axios	1.8.4	HTTP Response Splitting	2026-04-10	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
high	CVE-2026-4800	SNYK-JS-LODASH-15869625	lodash	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-4800	SNYK-JS-LODASHES-15869627	lodash-es	4.17.21	Arbitrary Code Injection	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33870	SNYK-JAVA-IONETTY-15789756	io.netty:netty-codec-http	4.1.118.Final	HTTP Request Smuggling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-33871	SNYK-JAVA-IONETTY-15789758	io.netty:netty-codec-http2	4.1.118.Final	Allocation of Resources Without Limits or Throttling	2026-03-26	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
high	CVE-2026-25639	SNYK-JS-AXIOS-15252993	axios	1.8.4	Prototype Pollution	2026-02-09	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
high	CVE-2025-68470	SNYK-JS-REACTROUTER-14908286	react-router	7.6.0	Open Redirect	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
high	CVE-2026-22029	SNYK-JS-REACTROUTER-14908531	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
high	CVE-2025-41249	SNYK-JAVA-ORGSPRINGFRAMEWORK-12817817	org.springframework:spring-core	6.2.8	Incorrect Authorization	2025-09-16	8.5.2	Upgrade to TopBraid EDG 8.5.2 or later.
high	CVE-2025-58056	SNYK-JAVA-IONETTY-12485149	io.netty:netty-codec-http	4.1.118.Final	HTTP Request Smuggling	2025-09-03	8.5.2	Upgrade to TopBraid EDG 8.5.2 or later.
high	CVE-2025-58057	SNYK-JAVA-IONETTY-12485150	io.netty:netty-codec-http	4.1.118.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2025-09-03	8.5.2	Upgrade to TopBraid EDG 8.5.2 or later.
high	CVE-2025-58057	SNYK-JAVA-IONETTY-12485151	io.netty:netty-codec-http2	4.1.118.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2025-09-03	8.5.2	Upgrade to TopBraid EDG 8.5.2 or later.
high	CVE-2025-54988	SNYK-JAVA-ORGAPACHETIKA-12238980	org.apache.tika:tika-parser-pdf-module	3.2.0	XML External Entity (XXE) Injection	2025-08-20	8.5.2	Upgrade to TopBraid EDG 8.5.2 or later.
high	CVE-2025-54988	SNYK-JAVA-ORGAPACHETIKA-14188255	org.apache.tika:tika-core	3.2.0	XML External Entity (XXE) Injection	2025-08-20	8.5.2	Upgrade to TopBraid EDG 8.5.2 or later.
high	CVE-2025-41242	SNYK-JAVA-ORGSPRINGFRAMEWORK-12008931	org.springframework:spring-beans	6.2.8	Relative Path Traversal	2025-08-14	8.5.2	Upgrade to TopBraid EDG 8.5.2 or later.
high	CVE-2025-55163	SNYK-JAVA-IOGRPC-13786834	io.grpc:grpc-netty-shaded	1.68.0	Allocation of Resources Without Limits or Throttling	2025-08-13	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
high	CVE-2025-55163	SNYK-JAVA-IONETTY-11799531	io.netty:netty-codec-http2	4.1.118.Final	Allocation of Resources Without Limits or Throttling	2025-08-13	8.5.2	Upgrade to TopBraid EDG 8.5.2 or later.
high	CVE-2024-22363	SNYK-JS-XLSX-6252523	xlsx	0.20.3	Regular Expression Denial of Service (ReDoS)	2024-02-18	8.5.1	Upgrade to TopBraid EDG 8.5.1 or later.
medium	CVE-2026-34477	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967727	org.apache.logging.log4j:log4j-core	2.24.3	Improper Validation of Certificate with Host Mismatch	2026-04-10	8.5.3	The default configuration is not exposed. Customers who have customised their Log4j configuration to use SocketAppender, SmtpAppender, or SyslogAppender with TLS should reconfigure to avoid those appenders, or upgrade to TopBraid EDG 9.2.0, 9.1.5, 9.0.3, 8.5.3, or 8.4.3, all scheduled for release in May 2026.
medium	CVE-2026-2950	SNYK-JS-LODASH-15869619	lodash	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-2950	SNYK-JS-LODASHES-15869621	lodash-es	4.17.21	Prototype Pollution	2026-03-31	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2026-0540	SNYK-JS-DOMPURIFY-15371376	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-03-03	9.1.3	Upgrade to TopBraid EDG 9.1.3 or later.
medium	CVE-2025-13465	SNYK-JS-LODASH-15053838	lodash	4.17.21	Prototype Pollution	2026-01-21	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2025-13465	SNYK-JS-LODASHES-15053836	lodash-es	4.17.21	Prototype Pollution	2026-01-21	9.1.4	Upgrade to TopBraid EDG 9.1.4 or later.
medium	CVE-2025-59057	SNYK-JS-REACTROUTER-14908289	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-21884	SNYK-JS-REACTROUTER-14908293	react-router	7.6.0	Cross-site Scripting (XSS)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2026-22030	SNYK-JS-REACTROUTER-14908429	react-router	7.6.0	Cross-site Request Forgery (CSRF)	2026-01-08	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2025-68161	SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782	org.apache.logging.log4j:log4j-core	2.24.3	Improper Validation of Certificate with Host Mismatch	2025-12-18	8.5.3	Upgrade to TopBraid EDG 8.5.3 or later.
medium	CVE-2025-67735	SNYK-JAVA-IONETTY-14423947	io.netty:netty-codec-http	4.1.118.Final	CRLF Injection	2025-12-15	9.1.0	Upgrade to TopBraid EDG 9.1.0 or later.
medium	CVE-2025-7962	SNYK-JAVA-ORGECLIPSEANGUS-12239873	org.eclipse.angus:angus-mail	2.0.3	Improper Neutralization	2025-07-21	8.5.2	Upgrade to TopBraid EDG 8.5.2 or later.
medium	CVE-2026-2327	SNYK-JS-MARKDOWNIT-10666750	markdown-it	14.1.0	Regular Expression Denial of Service (ReDoS)	2025-07-05	9.1.6	Upgrade to TopBraid EDG 9.1.6 or later.
medium	CVE-2025-6493	SNYK-JS-CODEMIRROR-10494092	codemirror	5.65.18	Regular Expression Denial of Service (ReDoS)	2025-06-22	9.2.0	Upgrade to TopBraid EDG 9.2.0 or later.
low	CVE-2026-22735	SNYK-JAVA-ORGSPRINGFRAMEWORK-15701755	org.springframework:spring-web	6.2.8	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	2026-03-19	8.5.3	Upgrade to TopBraid EDG 8.5.3 or later.

Not affected (59)

Component present in the product, but not exploitable.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed	Fixed in	Justification
critical	CVE-2026-42264	SNYK-JS-AXIOS-16417750	axios	1.8.4	Prototype Pollution	2026-05-05	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42035	SNYK-JS-AXIOS-16298058	axios	1.8.4	HTTP Response Splitting	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-42033	SNYK-JS-AXIOS-16299904	axios	1.8.4	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
critical	CVE-2026-5588	SNYK-JAVA-ORGBOUNCYCASTLE-16075260	org.bouncycastle:bcpkix-jdk18on	1.80.2	Improper Verification of Cryptographic Signature	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
critical	CVE-2025-7783	SNYK-JS-FORMDATA-10841150	form-data	4.0.2	Predictable Value Range from Previous Values	2025-07-18	9.0.0	vulnerable_code_not_in_execute_path
critical	(none)	SNYK-JS-JQUERYFORM-574783	jquery-form	3.50.0	Cross-site Scripting (XSS)	2015-04-10	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42583	SNYK-JAVA-IONETTY-16438322	io.netty:netty-codec	4.1.118.Final	Allocation of Resources Without Limits or Throttling	2026-05-07	9.0.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42585	SNYK-JAVA-IONETTY-16438737	io.netty:netty-codec-http	4.1.118.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42584	SNYK-JAVA-IONETTY-16438923	io.netty:netty-codec-http	4.1.118.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438929	io.netty:netty-codec-http2	4.1.118.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42587	SNYK-JAVA-IONETTY-16438930	io.netty:netty-codec	4.1.118.Final	Improper Handling of Highly Compressed Data (Data Amplification)	2026-05-07	9.0.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42581	SNYK-JAVA-IONETTY-16438934	io.netty:netty-codec-http	4.1.118.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-42027	SNYK-JAVA-ORGAPACHEOPENNLP-16419373	org.apache.opennlp:opennlp-tools	2.5.4	Unsafe Reflection	2026-05-04	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-40682	SNYK-JAVA-ORGAPACHEOPENNLP-16419377	org.apache.opennlp:opennlp-tools	2.5.4	XML External Entity (XXE) Injection	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42440	SNYK-JAVA-ORGAPACHEOPENNLP-16535521	org.apache.opennlp:opennlp-tools	2.5.4	Memory Allocation with Excessive Size Value	2026-05-04	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42044	SNYK-JS-AXIOS-16299921	axios	1.8.4	Improperly Controlled Modification of Dynamically-Determined Object Attributes	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
high	CVE-2026-42039	SNYK-JS-AXIOS-16299923	axios	1.8.4	Uncontrolled Recursion	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2026-22740	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109615	org.springframework:spring-web	6.2.8	Incomplete Cleanup	2026-04-17	8.5.3	vulnerable_code_not_in_execute_path
high	CVE-2026-5598	SNYK-JAVA-ORGBOUNCYCASTLE-16074612	org.bouncycastle:bcprov-jdk18on	1.80	Timing Attack	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	CVE-2025-14813	SNYK-JAVA-ORGBOUNCYCASTLE-16075266	org.bouncycastle:bcprov-jdk18on	1.80	Use of a Broken or Risky Cryptographic Algorithm	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551	com.fasterxml.jackson.core:jackson-core	2.19.1	Allocation of Resources Without Limits or Throttling	2026-04-04	9.1.3	vulnerable_code_not_in_execute_path
high	(none)	SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924	com.fasterxml.jackson.core:jackson-core	2.19.1	Allocation of Resources Without Limits or Throttling	2026-02-28	9.1.3	vulnerable_code_not_in_execute_path
high	CVE-2025-68280	SNYK-JAVA-ORGAPACHESISCORE-14874786	org.apache.sis.core:sis-metadata	1.4	XML External Entity (XXE) Injection	2026-01-05		vulnerable_code_not_in_execute_path
high	CVE-2025-41248	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-12817818	org.springframework.security:spring-security-core	6.5.1	Incorrect Authorization	2025-09-16	8.5.2	vulnerable_code_not_in_execute_path
high	CVE-2025-8671	SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCORE5-15857052	org.apache.httpcomponents.core5:httpcore5-h2	5.3.4	Denial of Service (DoS)	2025-08-13	9.0.0	vulnerable_code_not_in_execute_path
high	CVE-2021-23370	SNYK-JS-SWIPER-1088062	swiper	3.4.1	Prototype Pollution	2021-03-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42580	SNYK-JAVA-IONETTY-16438926	io.netty:netty-codec-http	4.1.118.Final	HTTP Request Smuggling	2026-05-07	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42578	SNYK-JAVA-IONETTY-16438935	io.netty:netty-handler-proxy	4.1.118.Final	CRLF Injection	2026-05-07	9.0.2	vulnerable_code_not_in_execute_path
medium	CVE-2026-41417	SNYK-JAVA-IONETTY-16425695	io.netty:netty-codec-http	4.1.118.Final	HTTP Request Smuggling	2026-05-05	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-43869	SNYK-JAVA-ORGAPACHETHRIFT-16432027	org.apache.thrift:libthrift	0.21.0	Improper Validation of Certificate with Host Mismatch	2026-05-05	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-41603	SNYK-JAVA-ORGAPACHETHRIFT-16323114	org.apache.thrift:libthrift	0.21.0	Improper Validation of Certificate with Host Mismatch	2026-04-28	9.2.1	vulnerable_code_not_in_execute_path
medium	CVE-2026-42040	SNYK-JS-AXIOS-16298055	axios	1.8.4	Improper Encoding or Escaping of Output	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42038	SNYK-JS-AXIOS-16298095	axios	1.8.4	Server-side Request Forgery (SSRF)	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42034	SNYK-JS-AXIOS-16298130	axios	1.8.4	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42036	SNYK-JS-AXIOS-16298162	axios	1.8.4	Allocation of Resources Without Limits or Throttling	2026-04-24	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-42042	SNYK-JS-AXIOS-16299478	axios	1.8.4	Insertion of Sensitive Information Into Sent Data	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42037	SNYK-JS-AXIOS-16299819	axios	1.8.4	CRLF Injection	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-42041	SNYK-JS-AXIOS-16299925	axios	1.8.4	Prototype Pollution	2026-04-24	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22746	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121176	org.springframework.security:spring-security-core	6.5.1	Information Exposure	2026-04-22	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
medium	CVE-2026-22748	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16121448	org.springframework.security:spring-security-oauth2-jose	6.5.1	Insufficient Verification of Data Authenticity	2026-04-22	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22751	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-16120313	org.springframework.security:spring-security-core	6.5.1	Time-of-check Time-of-use (TOCTOU) Race Condition	2026-04-21	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-41238	SNYK-JS-DOMPURIFY-16132234	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-22745	SNYK-JAVA-ORGSPRINGFRAMEWORK-16109618	org.springframework:spring-core	6.2.8	Allocation of Resources Without Limits or Throttling	2026-04-17	8.5.3	vulnerable_code_not_in_execute_path
medium	CVE-2026-41240	SNYK-JS-DOMPURIFY-16078387	dompurify	3.2.5	Operator Precedence Logic Error	2026-04-16	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2026-0636	SNYK-JAVA-ORGBOUNCYCASTLE-16075254	org.bouncycastle:bcprov-jdk18on	1.80	LDAP Injection	2026-04-15	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-62718	SNYK-JS-AXIOS-15965856	axios	1.8.4	Unintended Proxy or Intermediary ('Confused Deputy')	2026-04-09	9.2.0	component_not_present
medium	(none)	SNYK-JS-DOMPURIFY-15874903	dompurify	3.2.5	Prototype Pollution	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15874905	dompurify	3.2.5	Permissive List of Allowed Inputs	2026-04-03	9.1.3	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-DOMPURIFY-15810938	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-03-27	9.1.3	vulnerable_code_not_in_execute_path
medium	CVE-2026-33532	SNYK-JS-YAML-15765520	yaml	1.10.2	Uncontrolled Recursion	2026-03-25	9.2.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-15599	SNYK-JS-DOMPURIFY-15371386	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-03-03	9.1.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-58754	SNYK-JS-AXIOS-12613773	axios	1.8.4	Allocation of Resources Without Limits or Throttling	2025-09-10	9.0.0	vulnerable_code_not_in_execute_path
medium	CVE-2025-53864	SNYK-JAVA-COMNIMBUSDS-10691768	com.nimbusds:nimbus-jose-jwt	9.37.3	Uncontrolled Recursion	2025-07-11	8.5.2	vulnerable_code_not_in_execute_path
medium	CVE-2023-30533	SNYK-JS-XLSX-5457926	xlsx	0.20.3	Prototype Pollution	2023-04-24	8.5.1	vulnerable_code_not_in_execute_path
medium	(none)	SNYK-JS-D3COLOR-1076592	d3-color	1.4.1	Regular Expression Denial of Service (ReDoS)	2021-02-18	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2026-41239	SNYK-JS-DOMPURIFY-16131135	dompurify	3.2.5	Cross-site Scripting (XSS)	2026-04-19	9.2.0	vulnerable_code_not_in_execute_path
low	CVE-2025-22227	SNYK-JAVA-IOPROJECTREACTORNETTY-10770514	io.projectreactor.netty:reactor-netty-http	1.0.48	Exposure of Sensitive System Information to an Unauthorized Control Sphere	2025-07-15	9.0.0	vulnerable_code_not_in_execute_path
low	CVE-2018-25050	SNYK-JS-CHOSENJS-3184933	chosen-js	1.6.2	Cross-site Scripting (XSS)	2022-12-29	9.2.0	vulnerable_code_cannot_be_controlled_by_adversary
low	CVE-2020-29582	SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744	org.jetbrains.kotlin:kotlin-stdlib	1.8.21	Information Exposure	2022-02-03	8.5.2	vulnerable_code_not_in_execute_path

Fixed (13)

Previous release was affected, but this one is not.

Severity	CVE	Snyk ID	Module	Version	Title	Disclosed
high	(none)	SNYK-JAVA-COMGITHUBJUNRAR-16097905	com.github.junrar:junrar	7.5.5	Directory Traversal	2026-04-16
high	CVE-2026-28208	SNYK-JAVA-COMGITHUBJUNRAR-15360268	com.github.junrar:junrar	7.5.5	Directory Traversal	2026-02-27
high	CVE-2025-68470	SNYK-JS-REMIXRUNROUTER-14908287	@remix-run/router	1.14.1	Open Redirect	2026-01-08
high	CVE-2026-22029	SNYK-JS-REMIXRUNROUTER-14908530	@remix-run/router	1.14.1	Cross-site Scripting (XSS)	2026-01-08
high	CVE-2025-48976	SNYK-JAVA-ORGAPACHECOMMONS-10363251	org.apache.commons:commons-fileupload2-core	2.0.0-M2	Allocation of Resources Without Limits or Throttling	2025-06-16
high	CVE-2025-48734	SNYK-JAVA-COMMONSBEANUTILS-10259368	commons-beanutils:commons-beanutils	1.9.4	Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')	2025-05-28
medium	CVE-2026-41245	SNYK-JAVA-COMGITHUBJUNRAR-16115493	com.github.junrar:junrar	7.5.5	Directory Traversal	2026-04-20
medium	CVE-2025-8916	SNYK-JAVA-ORGBOUNCYCASTLE-11789695	org.bouncycastle:bcprov-jdk18on	1.78.1	Allocation of Resources Without Limits or Throttling	2025-08-13
medium	CVE-2025-41234	SNYK-JAVA-ORGSPRINGFRAMEWORK-10345766	org.springframework:spring-web	6.1.18	HTTP Response Splitting	2025-06-12
medium	CVE-2025-4949	SNYK-JAVA-ORGECLIPSEJGIT-10231763	org.eclipse.jgit:org.eclipse.jgit	7.2.0.202503040940-r	XML External Entity (XXE) Injection	2025-05-21
medium	CVE-2025-22234	SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-9789380	org.springframework.security:spring-security-crypto	6.3.8	Timing Attack	2025-04-22
low	CVE-2025-22233	SNYK-JAVA-ORGSPRINGFRAMEWORK-10176071	org.springframework:spring-context	6.1.18	Improper Handling of Case Sensitivity	2025-05-15
low	CVE-2025-26791	SNYK-JS-DOMPURIFY-8722251	dompurify	2.5.7	Cross-site Scripting (XSS)	2025-02-14