Apache Solr depends on many third-party libraries. Security scanners routinely flag CVEs in those libraries, but a CVE in a dependency does not automatically mean Solr is vulnerable — it depends on whether Solr actually exercises the affected code path in a way that can be exploited.
We publish our assessment of dependency CVEs in a machine-readable VEX (Vulnerability Exploitability eXchange) file. VEX is an open standard that lets vendors state explicitly whether a CVE applies to their product, and why. A number of formats are under active development, including CycloneDX and CSAF. We currently publish in CycloneDX 1.6 JSON format.
If your scanner supports VEX, download the file below and point your scanner at it to automatically suppress known non-applicable findings. If your scanner does not yet support VEX, you can use the table on this page to manually triage flagged CVEs.
We encourage feedback on VEX and tool support — join the discussion at security-discuss@community.apache.org or contact security@apache.org.
Below is a list of CVE vulnerabilities in Apache Solr dependencies and their applicability to Solr, with the assessed state of each. CVEs assessed as exploitable in Solr also have their own advisory on the security news page.
| ID | Versions | JARs | State | Title |
|---|---|---|---|---|
| CVE-2026-42440 | < 10.1.0 | opennlp-tools-1.9.4.jar | exploitable | Apache OpenNLP: Out-of-memory denial of service via crafted model file |
| CVE-2026-42027 | < 10.1.0 | opennlp-tools-1.9.4.jar | exploitable | Apache OpenNLP: Arbitrary class instantiation via model manifest |
| CVE-2026-40682 | < 10.1.0 | opennlp-tools-1.9.4.jar | exploitable | Apache OpenNLP: XXE in dictionary parsing |
| CVE-2026-34481 | 9.10.1, 10.0.0 | log4j-layout-template-json-2.25.3.jar | not affected | Apache Log4j JSON Template Layout: Invalid JSON for non-finite floating-point values |
| CVE-2026-34480 | 9.10.1, 10.0.0 | log4j-core-2.25.3.jar | not affected | Apache Log4j Core: Invalid XML output from XmlLayout |
| CVE-2026-34479 | 9.10.1, 10.0.0 | log4j-1.2-api-2.25.3.jar | not affected | Apache Log4j 1.x bridge: Malformed XML output from Log4j1XmlLayout |
| CVE-2026-34478 | 9.10.1, 10.0.0 | log4j-core-2.25.3.jar | not affected | Apache Log4j Core: Log injection via CRLF sequences in Rfc5424Layout |
| CVE-2026-34477 | 9.10.1, 10.0.0 | log4j-core-2.25.3.jar | not affected | Apache Log4j Core: TLS hostname verification silently ignored in Socket, SMTP and Syslog appenders |
| CVE-2024-51504 | 9.4.0-9.8.1 | zookeeper-3.9.0.jar, zookeeper-3.9.1.jar, zookeeper-3.9.2.jar | not affected | Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server |
| CVE-2024-6763 | ≤ 9.7 | jetty-http-10.0.22.jar | not affected | jetty-http |
| CVE-2023-51074, GHSA-pfh2-hfmq-phg5 | ≤ 9.5 | json-path-2.8.0.jar | not affected | json-path |
| CVE-2022-42889 | ≤ 9.0 | commons-text-1.9.jar | not affected | commons-text |
| CVE-2022-39135 | 6.5-8.11.2, 9.0 | calcite-1.31.0.jar | exploitable | calcite |
| CVE-2022-33980 | ≤ 9.0 | commons-configuration2-2.7.jar | not affected | commons-configuration2 |
| CVE-2022-25168 | ≤ 9.0 | hadoop-common-3.2.2.jar | not affected | hadoop-common |
| CVE-2021-45105, CVE-2021-45046 | 7.4-8.11.1 | log4j-core-2.14.1.jar, log4j-core-2.16.0.jar | not affected | log4j-core |
| CVE-2021-44832 | 7.4-8.11.1 | log4j-core-2.14.1.jar, log4j-core-2.16.0.jar | not affected | log4j-core |
| CVE-2021-33813 | ≤ 8.x | jdom-*.jar | not affected | jdom-* |
| CVE-2020-27223 | 7.3.0-8.x | jetty-9.4.6 to 9.4.36 | not affected | jetty-9.4.6 to 9.4.36 |
| CVE-2020-27218 | 7.3.0-8.8.0 | jetty-9.4.0 to 9.4.34 | not affected | jetty-9.4.0 to 9.4.34 |
| CVE-2020-13955 | 8.1.0-8.x | avatica-core-1.13.0.jar, calcite-core-1.18.0.jar | not affected | avatica-core |
| CVE-2019-16869 | 8.2-8.3 | netty-all-4.1.29.Final.jar | not affected | netty-all |
| CVE-2019-10241, CVE-2019-10247 | 7.7.0-8.2 | jetty-9.4.14 | not affected | jetty |
| CVE-2019-10086 | 8.0.0-8.3.0 | commons-beanutils-1.9.3.jar | not affected | commons-beanutils |
| CVE-2018-8088 | 4.x-9.1 | slf4j-api-1.7.24.jar, jcl-over-slf4j-1.7.24.jar, jul-to-slf4j-1.7.24.jar | not affected | slf4j-api |
| CVE-2018-1471 | 5.4.0-7.7.2, 8.0-8.3 | simple-xml-2.7.1.jar | not affected | simple-xml |
| CVE-2018-1335 | 7.3.1-7.5.0 | tika-core.1.17.jar | not affected | tika-core.1.17 |
| CVE-2018-10237 | 5.4.0-8.x | carrot2-guava-18.0.jar | not affected | carrot2-guava |
| CVE-2018-10237 | 4.6.0-8.x | guava-*.jar | not affected | guava-* |
| CVE-2018-1000632 | 4.6.0-8.x | dom4j-1.6.1.jar | not affected | dom4j |
| CVE-2018-1000056 | 4.6.0-7.6.0 | junit-4.10.jar | not affected | junit |
| CVE-2017-15718 | 6.6.1-7.6.0 | hadoop-auth-2.7.4.jar, hadoop-hdfs-2.7.4.jar (all Hadoop) | not affected | hadoop-auth |
| CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-5968, CVE-2018-7489, CVE-2019-12086, CVE-2019-12384, CVE-2018-12814, CVE-2019-14379, CVE-2019-14439, CVE-2020-35490, CVE-2020-35491, CVE-2021-20190, CVE-2019-14540, CVE-2019-16335 | 4.7.0-8.x | jackson-databind-*.jar | not affected | jackson-databind-* |
| CVE-2017-14952 | 6.0.0-7.5.0 | icu4j-56.1.jar, icu4j-59.1.jar | not affected | icu4j |
| CVE-2017-14868, CVE-2017-14949 | 5.2.0-8.x | org.restlet-2.3.0.jar | not affected | org.restlet |
| CVE-2016-6809, CVE-2018-1335, CVE-2018-1338, CVE-2018-1339 | 5.5.5, 6.2.0-9.10 | vorbis-java-tika-0.8.jar | not affected | vorbis-java-tika |
| CVE-2015-0899, CVE-2016-1181, CVE-2016-1182 | 6.6.2-8.x | velocity-tools-2.0.jar | not affected | Apache Struts 1 CVEs via velocity-tools transitive dependency |
| CVE-2015-5237 | 6.5.0-7.x | protobuf-java-3.1.0.jar | not affected | protobuf-java |
| CVE-2014-7940, CVE-2016-6293, CVE-2016-7415, CVE-2017-14952, CVE-2017-17484, CVE-2017-7867, CVE-2017-7868 | 7.3.1 | lucene-analyzers-icu-7.3.1.jar | not affected | lucene-analyzers-icu |
| CVE-2014-0114 | 4.9.0-7.5.0 | commons-beanutils-1.8.3.jar | not affected | commons-beanutils |
| CVE-2012-2098, CVE-2018-1324, CVE-2018-11771 | 4.6.0-7.x | commons-compress (only as part of Ant 1.8.2) | not affected | commons-compress (only as part of Ant 1.8.2) |
| CVE-2012-0881 | 2.9-9.10 | xercesImpl-2.9.1.jar | not affected | xercesImpl |