Maven — vulnerability landscape

Every CVE-affected package in the Maven ecosystem, sorted by risk.

Last updated 6/4/2026, 12:43:03 PM

#	Package	CVEs	KEV	Max EPSS
1	org.apache.tomcat.embed:tomcat-embed-core	71	5	94.5%
2	org.apache.struts:struts2-core	60	5	94.4%
3	org.jenkins-ci.main:jenkins-core	251	4	94.5%
4	org.apache.tomcat:tomcat-catalina	39	3	94.4%
5	org.elasticsearch:elasticsearch	43	2	92.3%
6	org.apache.solr:solr-core	30	2	94.5%
7	org.apache.activemq:activemq-client	18	2	94.4%
8	org.geoserver.web:gs-web-app	13	2	94.4%
9	org.apache.logging.log4j:log4j-core	11	2	94.4%
10	org.geoserver:gs-wms	8	2	94.4%
11	org.ops4j.pax.logging:pax-logging-log4j2	4	2	94.4%
12	com.thoughtworks.xstream:xstream	37	1	94.3%
13	org.jenkins-ci.plugins:script-security	35	1	94.4%
14	org.apache.tomcat:tomcat-coyote	26	1	94.4%
15	org.springframework:spring-webmvc	18	1	94.4%
16	org.apache.struts.xwork:xwork-core	16	1	93.6%
17	org.jenkins-ci.plugins.workflow:workflow-cps	13	1	91.8%
18	struts:struts	11	1	69.5%
19	org.springframework:spring-webflux	10	1	94.4%
20	org.apache.shiro:shiro-core	10	1	94.3%
21	org.apache.activemq:activemq-broker	9	1	83.5%
22	org.webjars.npm:jquery	8	1	34.7%
23	org.apache.activemq:activemq-all	8	1	83.5%
24	org.springframework.cloud:spring-cloud-config-server	7	1	94.3%
25	org.apache.kylin:kylin-core-common	6	1	93.7%
26	org.apache.struts:struts2-rest-plugin	6	1	94.3%
27	io.netty:netty-codec-http2	6	1	94.4%
28	com.liferay.portal:com.liferay.portal.kernel	6	1	94.4%
29	org.igniterealtime.openfire:xmppserver	6	1	94.4%
30	com.typesafe.akka:akka-http-core_2.11	4	1	94.4%
31	org.eclipse.jetty.http2:jetty-http2-common	4	1	94.4%
32	com.typesafe.akka:akka-http-core_2.12	4	1	94.4%
33	org.geoserver:gs-wfs	4	1	94.4%
34	org.springframework.cloud:spring-cloud-gateway	3	1	94.5%
35	org.springframework.data:spring-data-commons	3	1	94.3%
36	org.richfaces:richfaces-core	3	1	89.5%
37	org.eclipse.jetty.http2:http2-common	3	1	94.4%
38	org.apache.activemq:activemq-openwire-legacy	2	1	94.4%
39	org.xwiki.platform:xwiki-platform-search-solr-ui	2	1	93.7%
40	org.apache.rocketmq:rocketmq-broker	2	1	94.4%
41	org.eclipse.jetty.http2:http2-server	2	1	94.4%
42	org.springframework:spring-beans	2	1	94.4%
43	org.primefaces:primefaces	2	1	93.9%
44	org.apache.spark:spark-parent_2.12	2	1	93.5%
45	org.springframework.cloud:spring-cloud-function-context	2	1	94.5%
46	com.typesafe.akka:akka-http-core_2.13	2	1	94.4%
47	org.apache.hugegraph:hugegraph-api	2	1	94.3%
48	org.apache.rocketmq:rocketmq-namesrv	2	1	94.4%
49	com.typesafe.akka:akka-http-core	2	1	94.4%
50	org.springframework.boot:spring-boot-starter-web	1	1	94.4%
51	org.springframework.boot:spring-boot-starter-webflux	1	1	94.4%
52	org.apache.rocketmq:rocketmq-controller	1	1	94.4%
53	org.xbib.elasticsearch:log4j	1	1	94.4%
54	uk.co.nichesolutions.logging.log4j:log4j-core	1	1	94.4%
55	com.guicedee.services:log4j-core	1	1	94.4%
56	org.apache.tomcat:tomcat-catalina-jmx-remote	1	1	93.8%
57	org.apache.struts:struts2-struts1-plugin	1	1	94.1%
58	it.geosolutions.jaiext.jiffle:jt-jiffle	1	1	94.0%
59	org.eclipse.jetty.http2:jetty-http2-server	1	1	94.4%
60	org.apache.hugegraph:hugegraph-core	1	1	94.3%
61	org.apache.flink:flink-runtime_2.11	1	1	94.3%
62	org.sonatype.nexus:nexus-extdirect	1	1	94.4%
63	org.apache.flink:flink-runtime_2.12	1	1	94.3%
64	it.geosolutions.jaiext.jiffle:jt-jiffle-language	1	1	94.0%
65	org.zkoss.zk:zk	1	1	93.9%
66	com.liferay.portal:release.portal.bom	159	—	79.6%
67	org.apache.tomcat:tomcat	159	—	92.7%
68	com.liferay.portal:release.dxp.bom	125	—	17.6%
69	org.keycloak:keycloak-services	74	—	89.7%
70	com.fasterxml.jackson.core:jackson-databind	69	—	84.9%
71	org.keycloak:keycloak-core	49	—	92.3%
72	org.xwiki.platform:xwiki-platform-oldcore	45	—	36.3%
73	io.undertow:undertow-core	39	—	55.2%
74	net.mingsoft:ms-mcms	39	—	75.5%
75	com.jfinal:jfinal	36	—	1.7%
76	org.springframework.security:spring-security-core	31	—	90.2%
77	org.opencms:opencms-core	31	—	18.6%
78	org.eclipse.jetty:jetty-server	26	—	91.9%
79	org.apache.openmeetings:openmeetings-parent	25	—	73.3%
80	org.keycloak:keycloak-parent	25	—	0.9%
81	org.bouncycastle:bcprov-jdk14	25	—	4.1%
82	org.bouncycastle:bcprov-jdk15on	24	—	68.1%
83	org.xwiki.platform:xwiki-platform-web-templates	23	—	70.7%
84	org.apache.nifi:nifi	21	—	3.9%
85	org.cloudfoundry.identity:cloudfoundry-identity-server	21	—	0.5%
86	com.liferay.portal:com.liferay.portal.impl	18	—	0.6%
87	org.apache.jspwiki:jspwiki-main	18	—	50.6%
88	org.springframework:spring-core	18	—	91.0%
89	org.apache.inlong:manager-pojo	17	—	7.1%
90	org.apache.dolphinscheduler:dolphinscheduler	17	—	88.5%
91	org.apache.geode:geode-core	17	—	4.7%
92	org.apache.ranger:ranger	16	—	2.0%
93	org.bouncycastle:bcprov-jdk15	16	—	4.1%
94	org.apache.dubbo:dubbo	16	—	89.0%
95	io.netty:netty-codec-http	15	—	18.3%
96	ai.h2o:h2o-core	15	—	63.3%
97	org.xwiki.platform:xwiki-platform-web	15	—	38.8%
98	org.jenkins-ci.plugins:git	13	—	81.3%
99	org.apache.hadoop:hadoop-main	13	—	4.6%
100	org.apache.tika:tika-core	13	—	93.9%
101	org.apache.kylin:kylin	13	—	93.3%
102	org.jeecgframework.boot:jeecg-boot-parent	12	—	92.2%
103	org.apache.cassandra:cassandra-all	12	—	91.0%
104	org.apache.cxf:cxf-core	12	—	8.6%
105	org.apache.hadoop:hadoop-common	12	—	3.0%
106	org.bouncycastle:bcprov-jdk15to18	12	—	4.1%
107	org.apache.cxf:cxf	12	—	14.6%
108	org.springframework:spring-web	12	—	60.4%
109	org.apache.streampark:streampark	12	—	6.6%
110	org.graylog2:graylog2-server	11	—	3.9%
111	org.igniterealtime.openfire:parent	11	—	93.9%
112	org.mortbay.jetty:jetty	11	—	19.4%
113	org.apache.jspwiki:jspwiki-war	11	—	4.4%
114	org.apache.james:james-server	11	—	74.9%
115	org.apache.camel:camel-core	11	—	28.7%
116	com.xuxueli:xxl-job	11	—	19.0%
117	org.xwiki.platform:xwiki-platform-rest-server	11	—	86.2%
118	org.jenkins-ci.plugins:email-ext	11	—	20.6%
119	org.xwiki.platform:xwiki-platform-administration-ui	11	—	92.5%
120	org.apache.archiva:archiva	11	—	27.5%
121	org.apache.commons:commons-compress	11	—	1.8%
122	org.apache.spark:spark-core_2.11	10	—	89.0%
123	io.netty:netty	10	—	18.3%
124	org.jboss.netty:netty	10	—	18.3%
125	org.jenkins-ci.plugins.workflow:workflow-cps-global-lib	10	—	0.6%
126	org.craftercms:crafter-studio	10	—	14.5%
127	org.apache.inlong:manager-service	10	—	0.9%
128	org.apache.hive:hive-exec	10	—	8.2%
129	com.vaadin:flow-server	10	—	1.8%
130	org.apache.linkis:linkis	10	—	1.4%
131	com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer	10	—	4.3%
132	org.bouncycastle:bc-fips	10	—	2.4%
133	org.jenkins-ci.plugins:electricflow	9	—	0.2%
134	org.keycloak:keycloak-quarkus-server	9	—	0.2%
135	org.opencrx:opencrx-core-models	9	—	0.4%
136	org.postgresql:postgresql	9	—	7.8%
137	org.jenkins-ci.plugins:active-directory	9	—	0.5%
138	org.opennms:opennms	9	—	2.4%
139	mysql:mysql-connector-java	9	—	63.8%
140	io.jenkins:configuration-as-code	9	—	0.1%
141	cn.hutool:hutool-core	9	—	0.6%
142	org.apache.activemq:apache-activemq	9	—	93.0%
143	org.apache.xmlgraphics:batik	9	—	47.8%
144	org.apache.spark:spark-core_2.10	9	—	89.0%
145	com.vaadin:vaadin-bom	9	—	0.7%
146	org.apache.hive:hive	9	—	1.0%
147	org.bouncycastle:bcprov-jdk18on	9	—	0.3%
148	org.silverpeas.core:silverpeas-core-web	9	—	6.7%
149	org.jenkins-ci.plugins:config-file-provider	9	—	0.8%
150	org.apache.zookeeper:zookeeper	9	—	17.4%
151	org.apache.tapestry:tapestry-core	9	—	94.2%
152	org.jeecgframework.boot:jeecg-boot-common	8	—	93.4%
153	org.apache.santuario:xmlsec	8	—	8.4%
154	io.jenkins.blueocean:blueocean	8	—	2.4%
155	org.apache.ozone:ozone-main	8	—	1.2%
156	org.apache.wicket:wicket-core	8	—	5.2%
157	org.apache.zeppelin:zeppelin	8	—	6.0%
158	org.jenkins-ci.plugins:subversion	8	—	3.7%
159	io.netty:netty-handler	8	—	8.2%
160	ch.qos.logback:logback-core	8	—	10.1%
161	org.apache.hive:hive-service	8	—	6.5%
162	org.jenkins-ci.plugins:oic-auth	8	—	0.5%
163	org.yaml:snakeyaml	8	—	93.8%
164	com.ruoyi:ruoyi	8	—	84.5%
165	org.webjars:bootstrap	8	—	9.8%
166	org.apache.ambari:ambari	8	—	2.5%
167	org.jenkins-ci.plugins:ec2	8	—	0.7%
168	org.apache.druid:druid	8	—	93.9%
169	org.apache.pdfbox:pdfbox	8	—	13.0%
170	io.vertx:vertx-core	7	—	1.3%
171	io.vertx:vertx-web	7	—	2.5%
172	net.opentsdb:opentsdb	7	—	94.3%
173	com.hazelcast:hazelcast	7	—	8.3%
174	org.jenkins-ci.plugins:artifactory	7	—	0.3%
175	ca.uhn.hapi.fhir:org.hl7.fhir.utilities	7	—	7.9%
176	org.owasp.antisamy:antisamy	7	—	0.7%
177	org.jboss.resteasy:resteasy-client	7	—	4.6%
178	ca.uhn.hapi.fhir:org.hl7.fhir.r5	7	—	7.9%
179	org.opensearch.plugin:opensearch-security	7	—	0.4%
180	org.opencastproject:opencast-kernel	7	—	0.3%
181	org.jeecgframework.boot:jeecg-boot-base	7	—	57.2%
182	org.apache.poi:poi	7	—	13.1%
183	io.jenkins.plugins:cavisson-ns-nd-integration	7	—	9.5%
184	ca.uhn.hapi.fhir:org.hl7.fhir.r4b	7	—	7.9%
185	io.jenkins.plugins:miniorange-saml-sp	7	—	0.6%
186	org.jenkins-ci.plugins:credentials-binding	7	—	2.7%
187	io.dataease:dataease-plugin-common	7	—	0.9%
188	io.atomix:atomix	7	—	0.4%
189	org.apache.mina:mina-core	7	—	55.9%
190	org.apache.axis:axis	7	—	90.0%
191	org.apache.karaf:apache-karaf	7	—	5.4%
192	org.jruby:jruby-stdlib	7	—	1.8%
193	org.apache.kafka:kafka-clients	7	—	21.4%
194	com.xuxueli:xxl-job-admin	7	—	1.3%
195	org.apache.inlong:manager-web	7	—	0.9%
196	org.jenkins-ci.plugins:rundeck	7	—	0.4%
197	org.jenkins-ci.plugins:mercurial	7	—	0.5%
198	tech.powerjob:powerjob	7	—	90.4%
199	org.jenkins-ci.plugins:jobConfigHistory	7	—	16.3%
200	org.apache.derby:derby	7	—	2.6%
201	org.apache.cxf:apache-cxf	7	—	14.6%
202	org.jenkins-ci.plugins:htmlpublisher	7	—	1.3%
203	commons-fileupload:commons-fileupload	7	—	92.7%
204	org.apache.atlas:atlas-common	7	—	1.9%
205	org.webjars.npm:jquery-ui	7	—	31.2%
206	org.apache.activemq:activemq-parent	7	—	65.7%
207	org.jenkins-ci.plugins:openshift-deployer	7	—	0.3%
208	org.apache.syncope:syncope-core	7	—	7.1%
209	net.gleske:jervis	7	—	0.1%
210	io.jenkins.plugins:warnings-ng	7	—	0.8%
211	log4j:log4j	6	—	72.2%
212	org.apache.streampipes:streampipes-parent	6	—	1.8%
213	org.apache.storm:storm-core	6	—	15.3%
214	org.jenkins-ci.plugins:azure-ad	6	—	0.9%
215	org.jenkins-ci.plugins:azure-vm-agents	6	—	0.4%
216	org.apache.solr:solr-parent	6	—	93.9%
217	org.pytorch:executorch-android	6	—	0.4%
218	ca.uhn.hapi.fhir:org.hl7.fhir.validation	6	—	7.9%
219	axis:axis	6	—	90.0%
220	org.apache.struts:struts-core	6	—	69.5%
221	org.silverpeas.core:silverpeas-core	6	—	49.8%
222	com.google.protobuf:protobuf-java	6	—	0.5%
223	org.infinispan:infinispan-core	6	—	1.8%
224	org.hibernate:hibernate-validator	6	—	1.7%
225	org.apache.pulsar:pulsar-broker	6	—	0.3%
226	cn.hutool:hutool-json	6	—	1.2%
227	org.apache.shenyu:shenyu-common	6	—	89.9%
228	org.apache.mesos:mesos	6	—	4.9%
229	org.jeecgframework.boot:jeecg-boot-base-core	6	—	1.1%
230	com.xuxueli:xxl-job-core	6	—	26.9%
231	gov.nsa.emissary:emissary	6	—	0.1%
232	org.csanchez.jenkins.plugins:kubernetes	6	—	1.5%
233	com.vaadin:vaadin-server	6	—	0.7%
234	com.xebialabs.deployit.ci:deployit-plugin	6	—	0.1%
235	org.jenkins-ci.plugins:repository-connector	6	—	16.8%
236	org.apache.ignite:ignite-core	6	—	5.6%
237	org.apache.httpcomponents:httpclient	6	—	4.4%
238	org.jenkins-ci.plugins:pipeline-maven	6	—	0.4%
239	com.sonyericsson.hudson.plugins.gerrit:gerrit-trigger	6	—	0.2%
240	org.yamcs:yamcs-core	6	—	—
241	com.datapipe.jenkins.plugins:hashicorp-vault-plugin	6	—	0.7%
242	com.nimbusds:nimbus-jose-jwt	6	—	4.3%
243	org.jenkins-ci.plugins:ghprb	6	—	0.3%
244	org.apache.zeppelin:zeppelin-server	6	—	0.9%
245	org.jenkins-ci.plugins:fortify-on-demand-uploader	6	—	0.5%
246	org.wildfly:wildfly-parent	6	—	30.0%
247	org.xwiki.commons:xwiki-commons-xml	6	—	21.6%
248	org.jenkins-ci.plugins:gitlab-oauth	6	—	0.1%
249	com.jflyfox:jflyfox_jfinal	6	—	4.1%
250	net.snowflake:snowflake-jdbc	6	—	2.1%
251	org.apache.tika:tika	6	—	0.4%
252	org.jenkins-ci.plugins:ec2-deployment-dashboard	6	—	9.1%
253	org.jenkins-ci.plugins:gitlab-plugin	6	—	14.9%
254	hudson.plugins:project-inheritance	6	—	9.1%
255	org.xwiki.platform:xwiki-platform-flamingo-skin-resources	6	—	48.1%
256	org.springframework.security.oauth:spring-security-oauth2	5	—	93.7%
257	org.jenkins-ci.plugins:codedx	5	—	0.5%
258	org.springframework.security:spring-security-config	5	—	49.3%
259	org.springframework.boot:spring-boot	5	—	0.6%
260	org.springframework.amqp:spring-amqp	5	—	21.3%
261	org.owasp.esapi:esapi	5	—	1.0%
262	org.jeecgframework.boot:jeecg-module-system	5	—	1.1%
263	org.jenkins-ci.plugins:credentials	5	—	0.4%
264	io.projectreactor.netty:reactor-netty-http	5	—	1.5%
265	org.jenkins-ci.plugins:aws-codecommit-trigger	5	—	0.6%
266	org.springframework.security:spring-security-web	5	—	90.2%
267	io.jenkins.plugins:neuvector-vulnerability-scanner	5	—	1.1%
268	org.jboss.resteasy:resteasy-bom	5	—	2.3%
269	org.open-metadata:openmetadata-service	5	—	92.9%
270	org.opennms:opennms-webapp	5	—	0.5%
271	org.geoserver:gs-main	5	—	93.3%
272	org.fitnesse:fitnesse	5	—	6.6%
273	org.keycloak:keycloak-server-spi-private	5	—	0.3%
274	ca.uhn.hapi.fhir:org.hl7.fhir.r4	5	—	7.9%
275	info.magnolia:magnolia-core	5	—	1.2%
276	org.glassfish.main.admingui:console-common	5	—	0.4%
277	org.opencastproject:opencast-common	5	—	0.4%
278	edu.stanford.nlp:stanford-corenlp	5	—	0.5%
279	org.jenkins-ci.plugins:wso2id-oauth	5	—	0.4%
280	org.dspace:dspace-jspui	5	—	0.8%
281	org.jenkins-ci.tools:git-parameter	5	—	0.2%
282	org.jenkins-ci.plugins:websphere-deployer	5	—	0.1%
283	org.jenkins-ci.plugins:vmanager-plugin	5	—	0.9%
284	org.jenkins-ci.plugins:sinatra-chef-builder	5	—	0.1%
285	org.apache.kylin:kylin-server-base	5	—	84.7%
286	ca.uhn.hapi.fhir:org.hl7.fhir.dstu3	5	—	7.9%
287	org.jenkins-ci.plugins:support-core	5	—	0.8%
288	ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may	5	—	7.9%
289	com.vaadin:vaadin	5	—	0.4%
290	org.apache.inlong:manager-dao	5	—	0.9%
291	org.apache.iotdb:iotdb-core	5	—	3.4%
292	org.codehaus.jettison:jettison	5	—	0.5%
293	org.jenkins-ci.plugins:publish-over-ssh	5	—	1.3%
294	org.jenkins-ci.plugins:scriptler	5	—	0.2%
295	org.apache.hadoop:hadoop-client	5	—	5.8%
296	org.jenkinsci.plugins:octoperf	5	—	0.6%
297	com.synopsys.jenkinsci:ownership	5	—	0.2%
298	com.shopizer:shopizer	5	—	0.7%
299	org.jenkins-ci.plugins:matrix-project	5	—	9.0%
300	com.alibaba:dubbo	5	—	74.6%