CVE-2021-39239

CVE-2021-39239 affects Apache Jena’s XML processing (versions up to 4.1.0) and allows XML External Entity (XXE) attacks that can read local files from a remote attacker. Connected IBM advisories confirm multiple IBM products (e.g., DOORS Next, Jazz Reporting Service, Integration Bus) include this...

CVE-2022-28890

CVE-2022-28890 : Apache Jena’s RDF/XML parser is vulnerable to an XXE-like issue where an attacker can cause an external DTD to be retrieved. The vulnerability affects Apache Jena versions 4.4.0 and earlier; parity notes indicate that Apache Jena 4.2.x and 4.3.x do not allow external entities, im...

CVE-2023-22665

CVE-2023-22665 : Apache Jena (versions 4.7.0 and earlier) has insufficient checking of user queries when invoking custom scripts, enabling a remote attacker to execute arbitrary javascript via a SPARQL query. Documented in IBM/X-Force and related advisories, the vulnerability affects Apache Jena ...

CVE-2023-32200

CVE-2023-32200 : Apache Jena versions 3.7.0 through 4.8.0 are affected by insufficient restrictions of called script functions, enabling a remote attacker to execute JavaScript via a SPARQL query. The issue affects Jena up to 4.8.0. Root cause: improper/insufficient restrictions on script functio...

CVE-2025-49656

CVE-2025-49656 affects Apache Jena Fuseki prior to 5.5.0. Multiple connected sources describe a path traversal vulnerability where a user with administrator access can cause the Fuseki server to create database files outside the intended files area. The vulnerability is tied to the Fuseki admin/U...

CVE-2025-50151

CVE-2025-50151 affects Apache Jena up to version 5.4.0, where file access paths in configuration files uploaded by administrators are not validated. The issue’s root cause is the missing validation of configuration file paths, allowing potential arbitrary file access. Mitigation: upgrade to Apach...