24 upstream CVEs landed across Tomcat, Netty, Thymeleaf, Jetty, and pgjdbc in a single month — every one reachable through the Spring Boot managed-dependency BOM on at least one EOL line.

A pre-auth path traversal in spring-cloud-config-server lets unauthenticated attackers read arbitrary files on the host. Affects 3.1.x through 5.0.x, with no upstream fix for EOL branches.

HeroDevs releases a drop-in replacement for Log4j 2.17.x patching two TLS hostname verification bypasses and three log pipeline vulnerabilities with no upstream fix available.