CVE-2025-66021 not detected?

[gbrinkmann]

Hi,

I'm wondering why dependency-check-maven (v12.1.0 a.t.m.) doesn't list CVE-2025-66021 for OWASP java-html-sanitizer? Database maintainance and updates in logs look fine.

Note: I'm currently watching OWASP/java-html-sanitizer#364 - the issue might be solved in the near future.

edit, additional note: our dependency-track shows the CVE, but without severity. Maybe this is also dependency-check's problem...

Best regards

[jeremylong]

Because the cve us still in awaiting analysis at the NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66021

…

On Tue, Dec 16, 2025, 5:26 AM Gunnar Brinkmann ***@***.***> wrote: *gbrinkmann* created an issue (dependency-check/DependencyCheck#8195) <#8195> Hi, I'm wondering why dependency-check-maven (v12.1.0 a.t.m.) doesn't list CVE-2025-66021 <https://github.com/advisories/GHSA-g9gq-3pfx-2gw2> for OWASP java-html-sanitizer? Database maintainance and updates in logs look fine. Note: I'm currently watching OWASP/java-html-sanitizer#364 <OWASP/java-html-sanitizer#364> - the issue might be solved in the near future. Best regards — Reply to this email directly, view it on GitHub <#8195>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAGSVQQN4J2TGSTLNQZ6IB34B7M6BAVCNFSM6AAAAACPFUJHZGVHI2DSMVQWIX3LMV43ASLTON2WKOZTG4ZTIMJWGYYTANQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[gbrinkmann]

thx a lot, have a nice day.

[chadlwilson]

The vuln is in OSSIndex, so I imagine ODC will find it if you have enabled OSSIndex and configured credentials there.