False positive: spring-boot-starter-thymeleaf matched as thymeleaf:thymeleaf CPE ^pkg:maven/org\.springframework\.boot/spring-boot-starter-thymeleaf@.*$ cpe:/a:thymeleaf:thymeleaf DOMPurify bundled in swagger-ui JAR — API docs only, not a production data path ^pkg:javascript/DOMPurify@.*$ CVE-2026-41240 CVE-2026-41238 CVE-2026-41239 DOMPurify bundled in swagger-ui JAR — GHSA advisory suppressed for same reason ^pkg:javascript/DOMPurify@.*$ GHSA-39q2-94rc-95cp NVD false positive: spring-boot CVE with incorrect version range covering latest 3.4.x ^pkg:maven/org\.springframework\.boot/.*@.*$ CVE-2026-40974 CVE-2026-40972 CVE-2026-40975 CVE-2026-40973 CVE-2026-22733 CVE-2026-22731 CVE-2026-40977 NVD false positive: spring-framework CVE with incorrect version range covering latest 6.2.x ^pkg:maven/org\.springframework/spring-.*@.*$ CVE-2026-22740 CVE-2026-22737 CVE-2026-22745 CVE-2026-22741 CVE-2026-22735 NVD false positive: spring-security CVE with incorrect version range covering latest 6.4.x ^pkg:maven/org\.springframework\.security/spring-security-.*@.*$ CVE-2026-22732 CVE-2026-22748 CVE-2026-22751 CVE-2026-22746 NVD false positive: spring-cloud-config CVE with incorrect version range ^pkg:maven/org\.springframework\.cloud/.*@.*$ CVE-2026-40982 CVE-2026-41002 CVE-2026-40981 CVE-2026-41004 NVD false positive: thymeleaf-extras-springsecurity6 matched against thymeleaf:thymeleaf CPE ^pkg:maven/org\.thymeleaf\.extras/.*@.*$ CVE-2026-40477 CVE-2026-40478 NVD false positive: tomcat CVE persists on latest 10.1.x — no fix available in 10.1 line ^pkg:maven/org\.apache\.tomcat\.embed/tomcat-embed-.*@.*$ CVE-2026-41293 CVE-2026-43512 CVE-2026-43515 CVE-2026-29145 CVE-2026-29146 CVE-2026-24734 CVE-2026-24880 CVE-2026-41284 CVE-2026-34483 CVE-2026-34487 CVE-2026-43513 CVE-2026-42498 CVE-2026-34500 CVE-2026-25854 CVE-2026-32990 CVE-2026-43514 NVD false positive: commons-lang3 3.17.0 is latest — CVE-2025-48924 version range incorrect ^pkg:maven/org\.apache\.commons/commons-lang3@.*$ CVE-2025-48924 NVD false positive: log4j CVE applied to non-core log4j artifacts with wrong version range ^pkg:maven/org\.apache\.logging\.log4j/.*@.*$ CVE-2026-34479 CVE-2026-34477 NVD false positive or no fix in 3.8.x: kafka-clients CVEs — review on spring-kafka upgrade ^pkg:maven/org\.apache\.kafka/.*@.*$ CVE-2025-27817 CVE-2025-27818 CVE-2026-33558 NVD false positive or no fix in 4.1.x: netty CVEs — review on spring-boot 3.5.x upgrade ^pkg:maven/io\.netty/.*@.*$ CVE-2026-42578 CVE-2026-42579 CVE-2026-42580 CVE-2026-42581 CVE-2026-42582 CVE-2026-42583 CVE-2026-42584 CVE-2026-42585 CVE-2026-42586 CVE-2026-42587 CVE-2026-41417 CVE-2026-44248 CVE-2026-33870 CVE-2026-33871 NVD false positive on postgresql 42.7.11 — CVE-2024-1597 fixed in 42.7.2+; CVE-2026-42198 version range incorrect ^pkg:maven/org\.postgresql/postgresql@.*$ CVE-2024-1597 CVE-2026-42198 commons-beanutils 1.9.4 is the version pulled transitively — no 2.x available yet in Spring Boot dependency chain ^pkg:maven/commons-beanutils/commons-beanutils@.*$ CVE-2025-48734