Dom4j raise up a CVE


Hello everybody,

the transitive dependency dom4j 1.6.1 has a CVE, which is used by hibernate core (see
I noticed that the version is very old (year 2006). Why is not the latest org.dom4j 2.x.x used?
The newest version 2.1.1 has this CVE too, but i hope in the next version it will be fixed.

Thanks and cheers


EDIT: The dom4j 2.1.1 fixed this issue


Thanks for the heads up. Please create a Jira issue for this. Thanks.






Thanks for the issue and Pull Request.