| plexus-utils | 3.5.1 | HIGH | GHSA-6fmv-xxpf-w3cw | 3.6.1 | Plexus-Utils has a Directory Traversal vulnerability in its extractFile method |
| jetty-server | 12.0.22 | HIGH | GHSA-xxh7-fcf3-rj7f | 12.0.32 | The Eclipse Jetty Server Artifact has a Gzip request memory leak |
| glibc | 2.43-r6 | HIGH | CVE-2026-5928 | n/a | Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte |
| jetty-http | 12.0.22 | HIGH | GHSA-355h-qmc2-wpwf | 12.0.33 | Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing |
| log4j-1.2-api | 2.25.3 | MEDIUM | GHSA-h383-gmxw-35v2 | 2.25.4 | Apache Log4j 1 to Log4j 2 bridge: silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters |
| log4j-core | 2.25.3 | MEDIUM | GHSA-445c-vh5m-36rj | 2.25.4 | Apache Log4j Core: log injection in `Rfc5424Layout` due to silent configuration incompatibility |
| log4j-core | 2.25.3 | MEDIUM | GHSA-3pxv-7cmr-fjr4 | 2.25.4 | Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters |
| log4j-core | 2.25.3 | MEDIUM | GHSA-6hg6-v5c8-fphq | 2.25.4 | Apache Log4j Core: `verifyHostName` attribute silently ignored in TLS configuration |
| jackson-core | 2.19.2 | MEDIUM | GHSA-72hv-8253-57qq | 2.21.1 | jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition |
| jetty-http | 12.0.22 | LOW | GHSA-wjpw-4j6x-6rwh | 12.0.31 | org.eclipse.jetty:jetty-http has different parsing of invalid URIs |