Travis Spencer ( https://hibernate.atlassian.net/secure/ViewProfile.jspa?accountId=557058%... ) *commented* on HV-1498 ( https://hibernate.atlassian.net/browse/HV-1498?atlOrigin=eyJpIjoiNjU4OGVi... ) Re: Privilege escalation when running under the security manager ( https://hibernate.atlassian.net/browse/HV-1498?atlOrigin=eyJpIjoiNjU4OGVi... ) The fix version is set to 5.2-next and I see this on the HEAD of the 5.2 branch, but I’m wondering what exact version of 5.2 is this fix in? On the NIST site ( https://nvd.nist.gov/vuln/detail/CVE-2017-7536 ) , the CVE says: This makes me think that 5.2.5 Final is not vulnerable. However, I don’t see it in the 5.2 changelog ( https://github.com/hibernate/hibernate-validator/blob/5.2/changelog.txt ) , so I’m confused. Fossa scan is also reporting 5.2.5 Final as vulnerable. Can you confirm the fix is in 5.2.5 Final or if there’s a 5.2.6 planned that will have this fix or if going to 5.3 (or 5.4) is the way to go? ( https://hibernate.atlassian.net/browse/HV-1498#add-comment?atlOrigin=eyJp... ) Add Comment ( https://hibernate.atlassian.net/browse/HV-1498#add-comment?atlOrigin=eyJp... ) Get Jira notifications on your phone! Download the Jira Cloud app for Android ( https://play.google.com/store/apps/details?id=com.atlassian.android.jira.... ) or iOS ( https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=Em... ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100142- sha1:98e8dd4 )