OpenLiberty · navaneethsnair1 · Apr 8, 2026 · Mar 30, 2026 · Mar 31, 2026 · Apr 7, 2026
diff --git a/posts/2026-01-27-26.0.0.1.adoc b/posts/2026-01-27-26.0.0.1.adoc
@@ -69,6 +69,7 @@ In this release, Open Liberty introduces log throttling to automatically suppres
 In link:{url-about}[Open Liberty] 26.0.0.1:
 
 * <<logging, Log Throttling>>
+* <<CVEs, Security Vulnerability (CVE) Fixes>>
 * <<bugs, Notable bug fixes>>
 
 // // // // // // // //
@@ -207,6 +208,29 @@ When `throttleType` is set to `message`, throttling is applied to the entire mes
 
 // DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC> 
 
+[#CVEs]
+== Security vulnerability (CVE) fixes in this release
+[cols="5*"]
+|===
+|CVE |CVSS Score |Vulnerability Assessment |Versions Affected |Notes
+
+|https://www.cve.org/CVERecord?id=CVE-2025-12635[CVE-2025-12635]
+|5.4
+|Cross-site scripting
+|17.0.0.3-25.0.0.12
+|Affects the `servlet-3.1`, `servlet-4.0`, `servlet-5.0`, and `servlet-6.0` features
+|===
+// // // // // // // //
+// In the preceding section:
+// If there were any CVEs addressed in this release, fill out the table.  For the information, reference https://github.com/OpenLiberty/docs/blob/draft/modules/ROOT/pages/security-vulnerabilities.adoc.  If it has not been updated for this release, reach out to Kristen Clarke or Michal Broz.
+// Note: When linking to features, use the 
+// `link:{url-prefix}/docs/latest/reference/feature/someFeature-1.0.html[Some Feature 1.0]` format and 
+// NOT what security-vulnerabilities.adoc does (feature:someFeature-1.0[])
+//
+// If there are no CVEs fixed in this release, replace the table with: 
+// "There are no security vulnerability fixes in Open Liberty [RELEASE_VERSION]."
+// // // // // // // //
+For a list of past security vulnerability fixes, reference the link:{url-prefix}/docs/latest/security-vulnerabilities.html[Security vulnerability (CVE) list].
 
 [#bugs]
 == Notable bugs fixed in this release

diff --git a/posts/2026-02-24-26.0.0.2.adoc b/posts/2026-02-24-26.0.0.2.adoc
@@ -67,6 +67,7 @@ This release introduces Java Toolchains support, enabling developers to decouple
 In link:{url-about}[Open Liberty] 26.0.0.2:
 
 * <<java_toolchains, Java Toolchains in Liberty Build Plugins>>
+* <<CVEs, Security Vulnerability (CVE) Fixes>>
 * <<bugs, Notable bug fixes>>
 
 View the list of fixed bugs in link:https://github.com/OpenLiberty/open-liberty/issues?q=label%3Arelease%3A26002+label%3A%22release+bug%22[26.0.0.2].
@@ -159,11 +160,10 @@ With Java Toolchains, you can now run your build tool on a modern JDK (for examp
 
 === Maven Plugin integration
 
-The Liberty Maven plugin now integrates seamlessly with the maven-toolchain-plugin. To use this feature, define your available JDKs in your `~/.m2/toolchains.xml` file. The plugin automatically detects and uses the toolchain that is specified in your project's `pom.xml` file.
 The Liberty Maven Plugin now integrates seamlessly with the maven-toolchain-plugin as of version 3.12.0.
 To use this feature, define your available JDKs in your `~/.m2/toolchains.xml` file and then configure `<jdkToolchain>` tag in `<configuration>`.
-
 The plugin automatically detects and uses the toolchain specified in your project’s `pom.xml` file.
+
 For detailed configuration steps and parameters, see the link:https://github.com/OpenLiberty/ci.maven/blob/main/docs/toolchain.md[Liberty Maven Plugin Toolchain documentation].
 
 The plugin acknowledges the JDK vendor and version constraints that are defined in your Maven profiles, helping to ensure that your server environment remains consistent across different developer machines and CI/CD pipelines.
@@ -224,6 +224,31 @@ java {
 
 // DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC> 
 
+[#CVEs]
+== Security vulnerability (CVE) fixes in this release
+[cols="5*"]
+|===
+|CVE |CVSS Score |Vulnerability Assessment |Versions Affected |Notes
+
+|https://www.cve.org/CVERecord?id=CVE-2025-14914[CVE-2025-14914]
+|7.6
+|Remote code execution
+|17.0.0.3-26.0.0.1
+|Affects the `restConnector-2.0` feature
+|===
+// // // // // // // //
+// In the preceding section:
+// If there were any CVEs addressed in this release, fill out the table.  For the information, reference https://github.com/OpenLiberty/docs/blob/draft/modules/ROOT/pages/security-vulnerabilities.adoc.  If it has not been updated for this release, reach out to Kristen Clarke or Michal Broz.
+// Note: When linking to features, use the 
+// `link:{url-prefix}/docs/latest/reference/feature/someFeature-1.0.html[Some Feature 1.0]` format and 
+// NOT what security-vulnerabilities.adoc does (feature:someFeature-1.0[])
+//
+// If there are no CVEs fixed in this release, replace the table with: 
+// "There are no security vulnerability fixes in Open Liberty [RELEASE_VERSION]."
+// // // // // // // //
+For a list of past security vulnerability fixes, reference the link:{url-prefix}/docs/latest/security-vulnerabilities.html[Security vulnerability (CVE) list].
+
+
 [#bugs]
 == Notable bugs fixed in this release
 

diff --git a/posts/2026-03-24-26.0.0.3.adoc b/posts/2026-03-24-26.0.0.3.adoc
@@ -68,6 +68,7 @@ In link:{url-about}[Open Liberty] 26.0.0.3:
 
 * <<userregistry, UserRegistry Attribute Reader Enhancement>>
 * <<jandex, Jandex Index Format Support Update>>
+* <<CVEs, Security Vulnerability (CVE) Fixes>>
 * <<bugs, Notable bug fixes>>
 
 View the list of fixed bugs in link:https://github.com/OpenLiberty/open-liberty/issues?q=label%3Arelease%3A26003+label%3A%22release+bug%22[26.0.0.3].
@@ -293,6 +294,37 @@ For more information, see the link:https://smallrye.io/jandex/jandex/3.5.3/index
 
 // DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC> 
 
+[#CVEs]
+== Security vulnerability (CVE) fixes in this release
+[cols="5*"]
+|===
+|CVE |CVSS Score |Vulnerability Assessment |Versions Affected |Notes
+
+|https://www.cve.org/CVERecord?id=CVE-2025-14923[CVE-2025-14923]
+|4.7
+|Weaker security
+|17.0.0.3-26.0.0.2
+|
+
+|https://www.cve.org/CVERecord?id=CVE-2024-29371[CVE-2024-29371]
+|7.5
+|Denial of service
+|21.0.0.3-26.0.0.2
+|Affects the `openidConnectClient-1.0`, `socialLogin-1.0`, `mpJwt-1.2`, `mpJwt-2.0`, `mpJwt-2.1`, and `jwt-1.0` features
+|===
+// // // // // // // //
+// In the preceding section:
+// If there were any CVEs addressed in this release, fill out the table.  For the information, reference https://github.com/OpenLiberty/docs/blob/draft/modules/ROOT/pages/security-vulnerabilities.adoc.  If it has not been updated for this release, reach out to Kristen Clarke or Michal Broz.
+// Note: When linking to features, use the 
+// `link:{url-prefix}/docs/latest/reference/feature/someFeature-1.0.html[Some Feature 1.0]` format and 
+// NOT what security-vulnerabilities.adoc does (feature:someFeature-1.0[])
+//
+// If there are no CVEs fixed in this release, replace the table with: 
+// "There are no security vulnerability fixes in Open Liberty [RELEASE_VERSION]."
+// // // // // // // //
+For a list of past security vulnerability fixes, reference the link:{url-prefix}/docs/latest/security-vulnerabilities.html[Security vulnerability (CVE) list].
+
+
 [#bugs]
 == Notable bugs fixed in this release
 

diff --git a/posts/2026-04-07-26.0.0.4-beta.adoc b/posts/2026-04-07-26.0.0.4-beta.adoc
@@ -28,7 +28,7 @@ The link:{url-about}[Open Liberty] 26.0.0.4-beta includes the following beta fea
 ** <<jakarta_security, Application Security 6.0 (Jakarta Security 4.0)>>
 * <<java_26, Beta support for Java 26>>
 * <<mcp, Updates to `mcpServer-1.0`>>
-* <<data_1.1, Preview of some Jakarta Data 1.1 M2 capability>>
+* <<jakarta_data, Preview of some Jakarta Data 1.1 M2 capability>>
 * <<jandex_index, Support for Reading Jandex Indexes from WEB-INF/classes in Web Modules>>
 
 
@@ -296,7 +296,7 @@ Re-enter text:
 
 ===== Application Specification
 
-The link:https://jakarta.ee/specifications/security/4.0/jakarta-security-spec-4.0#handling-multiple-authentication-mechanisms[Jakarta Security 4.0] specification allows multiple multiple HTTP Authentication Mechanisms (HAMs) to be defined within a single application, as shown in the following example:
+The link:https://jakarta.ee/specifications/security/4.0/jakarta-security-spec-4.0#handling-multiple-authentication-mechanisms[Jakarta Security 4.0] specification allows multiple HTTP Authentication Mechanisms (HAMs) to be defined within a single application, as shown in the following example:
 
 [source,java]
 ----
@@ -421,8 +421,11 @@ public class CustomHAMHandler implements HttpAuthenticationMechanismHandler {
     @Inject @Fallback // this will be the Custom HAM
     private HttpAuthenticationMechanism fallbackHAM;
 
-    public AuthenticationStatus validateRequest(HttpServletRequest request,                                                HttpServletResponse response,
-     HttpMessageContext context) throws AuthenticationException {
+    public AuthenticationStatus validateRequest(
+        HttpServletRequest request,
+        HttpServletResponse response,
+        HttpMessageContext context
+    ) throws AuthenticationException {
 
         String path = request.getRequestURI();
 
@@ -530,7 +533,7 @@ This beta release of Open Liberty includes updates to the `mcpServer-1.0` featur
 
 Tools can now be registered dynamically through an API. This capability allows the set of available tools on the server to be adjusted based on configuration or environment.
 
-Tools can be registered by injecting `ToolManager` and calling its methods to add, remove, and list the available tools on the server. The full Javadoc for `ToolManager` can be found within the liberty beta in `dev/api/ibm/javadoc/io.openliberty.mcp_1.0-javadoc.zip`.
+Tools can be registered by injecting `ToolManager` and calling its methods to add, remove, and list the available tools on the server. The full Javadoc for `ToolManager` can be found within the Liberty beta in `dev/api/ibm/javadoc/io.openliberty.mcp_1.0-javadoc.zip`.
 
 Tools can be registered when the application starts through the CDI `Startup` event. See the following example where the `Startup` event is used to register a weather forecast tool only if a `WeatherClient` bean is available.
 
@@ -583,7 +586,7 @@ The result of a `tools/list` call is now paginated with a page size of 20. This
 === Bug fixes
 
 * During cancellation of a tool call, we check that both the session id and the authenticated user match the session id and the user that made the tool call. Previously only the session id was checked.
-* Messages that are returned to the MCP client no longer contain OpenLiberty message codes.
+* Messages that are returned to the MCP client no longer contain Open Liberty message codes.
 * Structured content is only returned when client is using protocol version `2025-06-18` or later.
 
 === Further information
@@ -598,10 +601,10 @@ The result of a `tools/list` call is now paginated with a page size of 20. This
 // Blog issue: https://github.com/OpenLiberty/open-liberty/issues/34299
 // Contact/Reviewer: njr-11
 // // // // // // // // 
-[#data_1.1]
+[#jakarta_data]
 == Preview of some Jakarta Data 1.1 M2 capability
 
-Previews some new capability at the Jakarta Data 1.1 Milestone 2 level: `Constraint` subtype parameters for repository methods that constraints to repository `@Find` operations and limited use of `Restriction` with repository `@Find` operations. Also included from the prior beta are: retrieving a subset/projection of entity attributes and the `@Is` annotation.
+Previews some new capability at the Jakarta Data 1.1 Milestone 2 level: `Constraint` subtype parameters for repository methods that constrain to repository `@Find` operations and limited use of `Restriction` with repository `@Find` operations. Also included from the prior beta are: retrieving a subset/projection of entity attributes and the `@Is` annotation.
 
 Previously, parameter-based `@Find` reposotory methods could filter results only using equality conditions. This limitation has now been removed, allowing additional filtering options to be defined. 
 
@@ -824,7 +827,7 @@ When the new property is placed on an application manager element, it applies to
 
 Jandex index support requires explicit enablement. See the `useJandex` property  on `applicationManager` and on `application` elements. The new `useJandexUnderClasses` property is meaningful only if the `useJandex` property is `true`.
 
-For compatibility with an earlier versions, reads of Jandex from the new location requires explicit enablement. See the new *useJandexUnderClasses* property, as documented previously. Explicit enablement is required to prevent applications from accidentally reading an out of date Jandex index from the new location. An out of date Jandex index might cause hard to detect application errors.
+For compatibility with earlier versions, reads of Jandex from the new location require explicit enablement. See the new *useJandexUnderClasses* property, as documented previously. Explicit enablement is required to prevent applications from accidentally reading an out of date Jandex index from the new location. An out of date Jandex index might cause application errors that are hard to detect.
 
 The name of the new property, *useJandexUnderClasses*, is subject to revision.