commons-compress 1.20 is vulnerable: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35515 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35516 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35517 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090 Should be upgraded to 1.21
this is already fixed in poi trunk and will be part of next release - you can modify your own build to use latest commons-compress as a workaround
Thanks for the prompt update! Is there any place I can see the planned release timeline?
release is not yet scheduled but there is a workaround - upgrade commons-compress in your own build - remember this is not a POI issue.