POI 5.1.0 will raise its poi-ooxml dependency on xmlsec jar to 2.2.3 because of CVE-2021-40690. This release could take a few weeks due to some unfinished work in other areas.
https://santuario.apache.org/secadv.data/CVE-2021-40690.txt.asc?version=1&modificationDate=1631867947126&api=v2 xmlsec is only used for verifying and/or adding XML signatures - this is described more detail in https://poi.apache.org/encryption.html - so this issue is not likely to affect all POI users. POI 5.0.0 users are recommended to try upgrading xmlsec dependency to 2.2.3 in their own builds. This should be tested before you release this to production though. Users of older versions of POI that want to try just upgrading xmlsec, it is worth trying but there is no guarantee that xmlsec 2.1.7 or xmlsec 2.2.3 that contain the CVE fix will work with older POI releases.
