Cyclonedx Core Java
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Cyclonedx Core Java.
By the Year
In 2026 there have been 0 vulnerabilities in Cyclonedx Core Java. Last year, in 2025 Cyclonedx Core Java had 1 security vulnerability published. Right now, Cyclonedx Core Java is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 7.50 |
It may take a day or so for new Cyclonedx Core Java vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Cyclonedx Core Java Security Vulnerabilities
CycloneDX Core Java XXE in XML Validator prior to v11.0.1
CVE-2025-64518
7.5 - High
- November 10, 2025
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML `Validator` used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format.
XXE
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Cyclonedx Core Java or by Cyclonedx? Click the Watch button to subscribe.
