Skip to content

Dependency vulnerability scan does not report CVE-2026-40973, but reports newer CVE-2026-4258 #8609

Description

@dangkhoaphung

Hello support team,

We are using Dependency Check to scan vulnerable dependencies in our Java components.

We noticed an inconsistency in scan results:

We also checked suppressed vulnerabilities but could not find CVE-2026-40973 anywhere
However, this CVE-2026-40973 is reported when using Sonatype scan

Could you help to guide how to investigate to find out the root cause why CVE-2026-40973 is not reported with Dependency Check tool?

Metadata

Metadata

Assignees

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions