Hi, I ran a Prisma scan on the latest Pinot release and see the following vulns (these are critical and high, there are some medium and low as well not mentioned here):
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-2332 | critical | 9.10 | org.eclipse.jetty_jetty-io | 9.4.58.v20250814 | fixed in 12.1.7, 12.0.33, 11.0.28,... | 42 days | < 1 hour | In Eclipse Jetty, the HTTP/1.1 parser is |
| | | | | | 25 days ago | | | vulnerable to request smuggling when chunk |
| | | | | | | | | extensions are used, similar to the \"funky |
| | | | | | | | | chunks\" techniques ou... |
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-33871 | high | 8.70 | io.netty_netty-codec-http2 | 4.1.122.Final | fixed in 4.2.11.Final, 4.1.132.Final | 60 days | < 1 hour | Netty is an asynchronous, event-driven network |
| | | | | | 61 days ago | | | application framework. In versions prior to |
| | | | | | | | | 4.1.132.Final and 4.2.10.Final, a remote user can |
| | | | | | | | | trigger a... |
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2025-59419 | high | 7.70 | io.netty_netty-codec-smtp | 4.1.122.Final | fixed in 4.2.7.Final, 4.1.128.Final | > 7 months | < 1 hour | Netty is an asynchronous, event-driven network |
| | | | | | > 7 months ago | | | application framework. In versions prior to |
| | | | | | | | | 4.1.128.Final and 4.2.7.Final, the SMTP codec in |
| | | | | | | | | Netty cont... |
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-42587 | high | 7.50 | io.netty_netty-codec-http | 4.1.122.Final | fixed in 4.2.13.Final, 4.1.133.Final | 13 days | < 1 hour | Netty is an asynchronous, event-driven network |
| | | | | | 19 days ago | | | application framework. Prior to 4.2.13.Final and |
| | | | | | | | | 4.1.133.Final, HttpContentDecompressor accepts a |
| | | | | | | | | maxAl... |
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-42587 | high | 7.50 | io.netty_netty-codec-http2 | 4.1.122.Final | fixed in 4.2.13.Final, 4.1.133.Final | 13 days | < 1 hour | Netty is an asynchronous, event-driven network |
| | | | | | 19 days ago | | | application framework. Prior to 4.2.13.Final and |
| | | | | | | | | 4.1.133.Final, HttpContentDecompressor accepts a |
| | | | | | | | | maxAl... |
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-42583 | high | 7.50 | io.netty_netty-codec | 4.1.122.Final | fixed in 4.1.133.Final | 13 days | < 1 hour | Netty is an asynchronous, event-driven network |
| | | | | | 19 days ago | | | application framework. Prior to 4.2.13.Final and |
| | | | | | | | | 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf |
| | | | | | | | | of ... |
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-42579 | high | 7.50 | io.netty_netty-codec-dns | 4.1.122.Final | fixed in 4.2.13.Final, 4.1.133.Final | 13 days | < 1 hour | Netty is an asynchronous, event-driven network |
| | | | | | 19 days ago | | | application framework. Prior to 4.2.13.Final and |
| | | | | | | | | 4.1.133.Final, Netty\'s DNS codec does not enforce |
| | | | | | | | | RFC... |
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-34481 | high | 7.50 | org.apache.logging.log4j_log4j-core | 2.25.3 | fixed in 2.25.4 | 46 days | < 1 hour | Apache Log4j\'s JsonTemplateLayout |
| | | | | | 32 days ago | | | https://logging.apache.org/log4j/2.x/manual/json-template-layout.html |
| | | | | | | | | , in versions up to and including 2.25.3, pr... |
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-34480 | high | 7.50 | org.apache.logging.log4j_log4j-core | 2.25.3 | fixed in 2.25.4 | 46 days | < 1 hour | Apache Log4j Core\'s XmlLayout |
| | | | | | 46 days ago | | | https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout |
| | | | | | | | | , in versions up to and including 2.25.3, fails to ... |
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-34479 | high | 7.50 | org.apache.logging.log4j_log4j-core | 2.25.3 | fixed in 2.25.4 | 46 days | < 1 hour | The Log4j1XmlLayout from the Apache Log4j |
| | | | | | 20 days ago | | | 1-to-Log4j 2 bridge fails to escape characters |
| | | | | | | | | forbidden by the XML 1.0 standard, producing |
| | | | | | | | | malformed XML ou... |
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-34478 | high | 7.50 | org.apache.logging.log4j_log4j-core | 2.25.3 | fixed in 2.25.4 | 46 days | < 1 hour | Apache Log4j Core\'s Rfc5424Layout |
| | | | | | 43 days ago | | | https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout |
| | | | | | | | | , in versions 2.21.0 through 2.25.3, is vul... |
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-33870 | high | 7.50 | io.netty_netty-codec-http | 4.1.122.Final | fixed in 4.2.10.Final, 4.1.132.Final | 60 days | < 1 hour | Netty is an asynchronous, event-driven network |
| | | | | | 61 days ago | | | application framework. In versions prior to |
| | | | | | | | | 4.1.132.Final and 4.2.10.Final, Netty incorrectly |
| | | | | | | | | parses qu... |
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2025-55163 | high | 7.50 | io.netty_netty-codec-http2 | 4.1.122.Final | fixed in 4.2.4.Final, 4.1.124.Final | > 9 months | < 1 hour | Netty is an asynchronous, event-driven network |
| | | | | | > 9 months ago | | | application framework. Prior to versions |
| | | | | | | | | 4.1.124.Final and 4.2.4.Final, Netty is vulnerable |
| | | | | | | | | to MadeYouR... |
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-45300 | high | 7.40 | org.asynchttpclient_async-http-client | 3.0.7 | fixed in 3.0.10, 2.15.0 | n/a | < 1 hour | |
| | | | | | 8 days ago | | | |
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-2332 | high | 7.40 | org.eclipse.jetty_jetty-http | 9.4.58.v20250814 | fixed in 12.1.7, 12.0.33 | 42 days | < 1 hour | In Eclipse Jetty, the HTTP/1.1 parser is |
| | | | | | 42 days ago | | | vulnerable to request smuggling when chunk |
| | | | | | | | | extensions are used, similar to the \"funky |
| | | | | | | | | chunks\" techniques ou... |
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-42584 | high | 7.30 | io.netty_netty-codec-http | 4.1.122.Final | fixed in 4.2.13.Final, 4.1.133.Final | 13 days | < 1 hour | Netty is an asynchronous, event-driven network |
| | | | | | 19 days ago | | | application framework. Prior to 4.2.13.Final and |
| | | | | | | | | 4.1.133.Final, HttpClientCodec pairs each inbound |
| | | | | | | | | resp... |
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
| CVE-2026-40542 | high | 7.30 | org.apache.httpcomponents.client5_httpclient5 | 5.6 | fixed in 5.6.1 | 34 days | < 1 hour | Missing critical step in authentication in Apache |
| | | | | | 27 days ago | | | HttpClient 5.6 allows an attacker to cause the |
| | | | | | | | | client to accept SCRAM-SHA-256 authentication |
| | | | | | | | | without... |
+---------------------+----------+------+-----------------------------------------------+--------------------+---------------------------------------+------------+------------+------------------------------------------------------------------------+
Hi, I ran a Prisma scan on the latest Pinot release and see the following vulns (these are
criticalandhigh, there are somemediumandlowas well not mentioned here):Is there a plan to patch for these? Thanks!