All versions of Dependency-Track from version 3.0.0 to 3.5.0. Malicious payloads would need to be crafted and stored by users with the PORTFOLIO_MANAGEMENT permission. Users without this permission would be unable to store malicious payloads but could be affected by data already persisted.
These issues have been corrected in Dependency-Track v3.5.1 and higher.
Thanks to 1jesper1 for finding and responsibly disclosing these issues.