16.1.1

What's Changed

• CVE-2026-33672 CVE-2026-33671: Method injection in POSIX character classes causes incorrect glob matching Related glob security issue patched in the same release by @Copilot in #970
• CVE-2026-33870 Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing by @dependabot[bot] in #972
• CVE-2025-67030 Plexus-Utils has a Directory Traversal vulnerability in its extractFile method by @dependabot[bot] in #974
• CVE-2026-4800 CVE-2026-2950 lodash vulnerable to Code Injection via _.template imports key names lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit by @dependabot[bot] in #978
• CVE-2026-27315 CVE-2026-32588 Apache Cassandra has sensitive Information Leak in cqlsh + has an authenticated DoS over CQL by @dependabot[bot] in #981
• CVE-2025-64718 js-yaml has prototype pollution in merge (<<) by @dependabot[bot] in #994
• CVE-2026-21884 CVE-2026-22029 CVE-2026-22030 React Router SSR XSS in ScrollRestoration ,vulnerable to XSS via Open Redirects, CSRF issue in Action/Server Action Request Processing by @dependabot[bot] in #993
• CVE-2026-27606 Rollup 4 has Arbitrary File Write via Path Traversal by @dependabot[bot] in #992
• CVE-2026-33228 CVE-2026-32141 Prototype Pollution via parse() in NodeJS flatted, flatted vulnerable to unbounded recursion DoS in parse() revive phase by @dependabot[bot] in #991
• CVE-2026-39364 CVE-2026-39365 CVE-2026-39363 CVE-2025-62522 Vite: server.fs.deny bypassed, Path Traversal in Optimized Deps, Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket, server.fs.deny bypass via backslash on Windows by @dependabot[bot] in #990
• CVE-2026-4800 CVE-2025-13465 CVE-2026-2950 lodash vulnerable to Code Injection via _.template imports key names, odash has Prototype Pollution Vulnerability in _.unset and _.omit functions by @dependabot[bot] in #989
• CVE-2026-29063 Immutable is vulnerable to Prototype Pollution by @dependabot[bot] in #988
• CVE-2026-33671 CVE-2026-33672 Picomatch has a ReDoS vulnerability Picomatch: Method Injection in POSIX Character Classes by @dependabot[bot] in #987
• CVE-2026-26996 CVE-2026-27903 CVE-2026-27904 minimatch has a ReDoS by @dependabot[bot] in #986
• GHSA-r4q5-vmmm-2653 follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets by @dependabot[bot] in #985
• CVE-2025-13465 Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions by @dependabot[bot] in #995
• CVE-2026-26996 CVE-2026-27903 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern, minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments by @dependabot[bot] in #996
• CVE-2026-26996 CVE-2026-27903 minimatch has a ReDoS via repeated wildards with non-matching literal in pattern, minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments by @maximthomas in #997
• CVE-2026-27903 CVE-2026-27904 CVE-2026-26996 UI: update grunt to 1.6.2 to address vulnerabilities by @maximthomas in #998
• CVE-2025-12383 a race condition (CWE-362) that can cause SSL/TLS settings (mTLS, custom key/trust stores) to be silently ignored under concurrent connection load, enabling certificate bypass / MITM by @Copilot in #1001
• CVE-2025-8916 unbounded memory allocation in PKIXCertPathReviewer when processing malicious certificate chains with oversized name constraint structures, enabling DoS by @Copilot in #1002
• CVE-2025-7962 Jakarta Mail vulnerable to SMTP Injection by @dependabot[bot] in #1005
• CVE-2026-41305 PostCSS has XSS via Unescaped </style> in its CSS Stringify Output by @dependabot[bot] in #1009
• CVE-2026-42577 Netty epoll transport denial of service via RST on half-closed TCP connection by @dependabot[bot] in #1016
• CVE-2026-44728 @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input by @dependabot[bot] in #1019
• CVE-2026-6321 CVE-2026-6322 fast-uri vulnerable via percent-encoded dot segments by @dependabot[bot] in #1018
• CVE-2026-6321 CVE-2026-6322 fast-uri vulnerable via percent-encoded dot segments by @dependabot[bot] in #1017
• CVE-2026-43869 Apache Thrift has an Improper Validation of Certificate with Host Mismatch Vulnerability by @vharseko in #1020
• CVE-2026-8723 qs has a remotely triggerable DoS by @dependabot[bot] in #1026
• CVE-2026-44705 tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape by @dependabot[bot] in #1029
• CVE-2026-47429 When Vitest UI server is listening, arbitrary file can be read and executed by @dependabot[bot] in #1032
• CVE-2026-22029 React Router vulnerable to XSS by @dependabot[bot] in #1035
• CVE-2026-45536 CVE-2026-45416 CVE-2026-44249 Netty: Unix-socket fd receive leaks descriptors when peer sends two at once Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking by @vharseko in #1041
• CVE-2025-66453 replace servicemix rhino bundle with org.mozilla:rhino:1.7.15.1 by @Copilot in #1037
• GHSA-g7r4-m6w7-qqqr esbuild allows arbitrary file read when running the development server on Windows by @dependabot[bot] in #1043
• CVE-2026-53550 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases by @dependabot[bot] in #1048
• CVE-2026-53663 React Router: Potential CSRF via PUT/PATCH/DELETE document requests by @dependabot[bot] in #1053
• CVE-2026-48988 CVE-2026-2327 markdown-it is has a Regular Expression Denial of Service (ReDoS) by @dependabot[bot] in #1052
• CVE-2026-49356 @babel/core: Arbitrary File Read via sourceMappingURL Comment by @dependabot[bot] in #1049
• CVE-2026-41573 LDAP Injection via _queryId Parameter thanks @nn0nkey / JD-Security SHENYI Team
• CVE-2026-44202 Authenticated Server-Side Request Forgery (SSRF) via /sessionservice thanks @nn0nkey / JD-Security SHENYI Team
• CVE-2026-44203 Pre-authentication Reflected XSS OAuth2 / OIDC thanks @gujjuboy10x00
• CVE-2026-44793 Pre-authentication Reflected XSS in SAML2 Cluster Cookie-Hash-Redirect Path thanks @gujjuboy10x00
• CVE-2026-45049 Session Hijacking via CDSSO thanks @wodzen
• CVE-2026-45048 Arbitrary Session Hijacking via Session Service RPC thanks @wodzen
• CVE-2026-45051 Conditional RCE via Java Deserialization in WebAuthn thanks @wodzen
• CVE-2026-45052 Anonymous Authentication via Liberty SOAP thanks @wodzen
• CVE-2026-45794 Unsafe Java Deserialization via Push Notification thanks @wodzen
• CVE-2026-46498 Arbitrary OAuth Token Minting via Push Registration thanks @wodzen
• CVE-2026-46560 Authentication Bypass via RADIUS Spoofing thanks @wodzen
• CVE-2026-46619 Authentication Bypass via MSISDN LDAP Injection thanks @wodzen
• CVE-2026-46623 Account Takeover via OAuth2 Unverified Password Change thanks @wodzen
• CVE-2026-47424 Authenticated RCE via Groovy Sandbox Escape thanks @wodzen
• CVE-2026-47426 OAuth Client Impersonation via JWKS Resolver Cache thanks @wodzen
• CVE-2026-48717 OAuth Authorization Bypass via PKCE Challenge thanks @wodzen
• CVE-2026-53660 Insecure SSO Cookie Initialization thanks @wodzen
• Support HttpOnly session cookie in XUI by @vharseko in #1036
• Include acr and amr claims in stateless JWT access tokens by @vharseko in #1033
• Add OAuth2 Access Token Modification Script (OAUTH2_ACCESS_TOKEN_MODIFICATION) by @vharseko in #1034
• Create base entry on external configuration store during setup by @vharseko in #1045
• OpenAM MCP server by @maximthomas in #935
• OpenAM UI JS SDK by @maximthomas in #941
• Fix SLO sending stale transient NameID when SP re-authenticates within same IdP session by @Copilot in #984
• [#1007] Fix setup error "embedded config"+"external user store": missing schema attribute type by @maximthomas in #1012
• Update build.yml add JDK 26 support by @vharseko in #967
• fix: correct inverted park condition in PooledTaskExecutorTest.LongTask by @Copilot in #971
• fix(cassandra-embedded): increase CQL request timeout to 20s in ServerTest by @Copilot in #973
• Docs: set neutral version for the docs by @maximthomas in #975
• chore: bump GitHub Actions to latest versions by @Copilot in #977
• [#980] Remove duplicated and redundant dependencies, use OpenDJ embedded slim package by @maximthomas in #983
• Bump Apache CXF to 4.0.11 by @maximthomas in #999
• Stabilize integration tests by @maximthomas in #1000
• Upgrade PowerMock 1.7.4 → 2.0.9; replace deprecated Mockito Matchers API by @Copilot in #1004
• Chore: remove assertj from parent pom compile dependencies by @maximthomas in #1014
• Take bouncycastle version from commons by @maximthomas in #1013
• Docs: fix javadoc build error by @maximthomas in #1015
• SAMLv2 smoke test by @maximthomas in #1022
• UI: remove karma outdated notifiers by @maximthomas in #1028
• OAuth2 IDP E2E smoke test by @maximthomas in #1025
• Update maven-assembly-plugin version to 3.8.0 by @vharseko in #1030
• Upgrade maven-war-plugin version to 3.5.1 by @vharseko in #1031
• MCP: bind to 127.0.0.1 by default & make change password API-compliant by @maximthomas in #1021
• [#980] Get rid of test and deprecated dependencies by @maximthomas in #1010
• Update org.openidentityplatform.opendj to 5.1.1 by @vharseko in #1042

Full Changelog: 16.0.6...16.1.1