[FP]: CVE-2026-2587, CVE-2026-2586 and CVE-2024-9329 in rngom-4.0.9.jar

[ZarkonPro]

Package URl

pkg:maven/com.sun.xml.bind.external/rngom@4.0.9

CPE

cpe:2.3:a:eclipse:glassfish:4.0.9:::::::*

CVE

CVE-2026-2587

ODC Integration

{"label" => "Maven Plugin"}

ODC Version

12.2.2

Description

Hi.

From org.glassfish.jaxb.jaxb-runtime@4.0.9 (last library version), it uses com.sun.xml.bind.external/rngom@4.0.9 (last library version too) and dependency check reports CVE-2026-2587, CVE-2026-2586 and CVE-2024-9329

[github-actions]

Maven Coordinates

<dependency>
  <groupId>com.sun.xml.bind.external</groupId>
  <artifactId>rngom</artifactId>
  <version>4.0.9</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8612
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/com\.sun\.xml\.bind\.external/rngom@.*$</packageUrl>
    <cpe regex="true">cpe:/a:eclipse:glassfish(:.*)?$</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/27596586934

[chadlwilson]

Will be fixed by linked PR