Dependency-Track - 9 CVEs (Page 1/1)

About “Dependency-Track”

A curated feed of “Dependency-Track”-related CVEs appears below. We currently track 9 CVEs for this tag (all time). In the last 365 days, 2 were published. Average CVSS is 5.5 (all time; 4.8 over 365d), and 11% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-522 - Insufficiently Protected Credentials.

In our taxonomy this topic maps to a LOW impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: dependency-track

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

Cycle	Release	Latest	EOL
4.14	2026-03-09	4.14.2	-
4.13	2025-04-07	4.13.6	2026-03-09 Expired
4.12	2024-10-01	4.12.7	2025-04-07 Expired
4.11	2024-05-07	4.11.7	2024-10-01 Expired
4.10	2023-12-08	4.10.1	2024-05-07 Expired
4.9	2023-10-16	4.9.1	2023-12-08 Expired
4.8	2023-04-18	4.8.2	2023-10-16 Expired
4.7	2022-12-16	4.7.1	2023-04-18 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS · RSS (expired) · ICS

Subscribe CVEs: RSS for “Dependency-Track” · RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0

2025-11-17

Medium

CVE-2025-64758

@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

2025-10-07

Medium

CVE-2025-61776

Dependency-Track is a component analysis platform that allows organizations to identify and reduce risk in the software supply chain. Prior to version 4.13.5, Dependency-Track may send credentials me…

CVSS: 4.7 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD

2025-02-24

Medium

CVE-2025-27137

Dependency-Track is a component analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track allows users with the `SYSTEM_CONFIGURATION` per…

CVSS: 4.4 CWE: CWE-73 - External Control of File Name or Path View on NVD

2024-12-04

Medium

CVE-2024-54002

Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Performing a login request against the /api/v1/user/login endpoin…

CVSS: 5.3 CWE: CWE-203 - Observable Discrepancy View on NVD

2022-10-25

Medium

CVE-2022-39351

Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Prior to version 4.6.0, performing an API request using a valid A…

CVSS: 4.4 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD

Medium

CVE-2022-39350

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

2021-03-30

High

CVE-2021-21633

A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in…

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD

Medium

CVE-2021-21632

A missing permission check in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stor…

CVSS: 6.5 CWE: CWE-862 - Missing Authorization View on NVD

2019-07-29

Medium

CVE-2019-1020007

Dependency-Track before 3.5.1 allows XSS.

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD