Wicket includes jQuery 1, 2, and 3 but only 3 is used ^pkg:javascript/jquery@(1|2)\..*$ CVE-2015-9251 CVE-2019-11358 CVE-2020-11022 CVE-2020-11023 ^pkg:maven/com\.lowagie/itext@.*$ CVE-2021-43113 ^pkg:maven/org\.apache\.logging\.log4j/log4j\-.*@.*$ CVE-2022-33915 CVE-2022-31548 No usages of com.google.common.io.Files#createTempDir CVE-2020-8908 This is when trying to serialize recursive datastructures, such as a list containing itself or similar. Since an attacker can only craft strings that are *de*-serialized it is impossible to use this "exploit" and it is only something we can do to ourselves. The same problem exists with Map#hashCode for example and everyone is fine with that. CVE-2023-35116 This is a complete nonsense vulnerability. Some automated tool has gone completely bananas. CVE-2024-22949 This is a complete nonsense vulnerability. Some automated tool has gone completely bananas. CVE-2023-52070 This is a complete nonsense vulnerability. Some automated tool has gone completely bananas. CVE-2024-23076