Critical vulnerabilities in Jmix latest version 2.8

deepakhoonmrt92 · April 21, 2026, 10:35am

We are currently using the latest Jmix 2.8 version in our application.

During our recent SCA (Software Composition Analysis) scan, we noticed multiple vulnerabilities reported in some transitive dependencies such as Spring Security, Spring WebMVC, Tomcat, Jackson, and Netty.

Could you please let us know if there are any planned upgrades or upcoming releases to address these dependency versions and related security findings?

We would appreciate any guidance or recommended timeline for dependency updates.

gorelov · April 21, 2026, 12:24pm

Hi,

We’d appreciate it if you could be more specific about the affected versions. In the meantime, the very next bug fix release 2.8.1 will be updated to the latest org.springframework.boot:spring-boot-dependencies:3.5.13 version.

Regards,
Gleb

chicojeff · April 21, 2026, 12:44pm

Perhaps jmix could create a GitHub workflow that does the Gradle dependency submission? This way the known vulnerabilities would be listed on the Security tab and the team would be more aware of the challenges we face.

krivopustov · April 22, 2026, 5:12am

We have an internal Dependency-Track instance and a couple of private GitHub repos with Jmix dependencies recognized by the GitHub security analyzer. So we aware of vulnerabilities and do our best to update dependencies in each new Jmix patch.

Now this information is aggregated for the whole set of Jmix add-ons, so it’s not relevant for most application projects where only a subset of add-ons is used.

For tracking vulnerabilities in your projects (that may also include dependencies not from Jmix), you can set up your own instance of Dependency Track and use their Gradle plugin to submit your project’s SBOM.

Regards,
Konstantin