Wicket includes jQuery 1, 2, and 3 but only 3 is used ^pkg:javascript/jquery@(1|2)\..*$ CVE-2015-9251 CVE-2019-11358 CVE-2020-11022 CVE-2020-11023 ^pkg:maven/com\.lowagie/itext@.*$ CVE-2021-43113 ^pkg:maven/org\.apache\.logging\.log4j/log4j\-.*@.*$ CVE-2022-33915 CVE-2022-31548 No usages of com.google.common.io.Files#createTempDir CVE-2020-8908 This is when trying to serialize recursive datastructures, such as a list containing itself or similar. Since an attacker can only craft strings that are *de*-serialized it is impossible to use this "exploit" and it is only something we can do to ourselves. The same problem exists with Map#hashCode for example and everyone is fine with that. CVE-2023-35116 This is a complete nonsense vulnerability. Some automated tool has gone completely bananas. CVE-2024-22949 This is a complete nonsense vulnerability. Some automated tool has gone completely bananas. CVE-2023-52070 This is a complete nonsense vulnerability. Some automated tool has gone completely bananas. CVE-2024-23076 https://nvd.nist.gov/vuln/detail/CVE-2024-49203 https://github.com/querydsl/querydsl/issues/3757 Basically if you allow untrusted user input to be used in the "ORDER BY" clause you can be vulnerable to SQL injection. I believe this is nonsense and akin to saying every Java application has a security vulnerability because JDBC allows you to execute arbitrary SQL if you do not properly use PreparedStatement with parameters over a string-concatenated Statement. Even if this is considered a valid vulnerability we do not, currently, allow untrusted user input to be used in the "ORDER BY" clause. CVE-2024-49203