Critical vulnerabilities in Jmix latest version 2.8

deepakhoonmrt92 · April 21, 2026, 10:35am

We are currently using the latest Jmix 2.8 version in our application.

During our recent SCA (Software Composition Analysis) scan, we noticed multiple vulnerabilities reported in some transitive dependencies such as Spring Security, Spring WebMVC, Tomcat, Jackson, and Netty.

Could you please let us know if there are any planned upgrades or upcoming releases to address these dependency versions and related security findings?

We would appreciate any guidance or recommended timeline for dependency updates.

gorelov · April 21, 2026, 12:24pm

Hi,

We’d appreciate it if you could be more specific about the affected versions. In the meantime, the very next bug fix release 2.8.1 will be updated to the latest org.springframework.boot:spring-boot-dependencies:3.5.13 version.

Regards,
Gleb

chicojeff · April 21, 2026, 12:44pm

Perhaps jmix could create a GitHub workflow that does the Gradle dependency submission? This way the known vulnerabilities would be listed on the Security tab and the team would be more aware of the challenges we face.