CIB seven 2.0.8 CE+ - Release Notes

Release Notes

Release Date: February 19, 2026

Highlights

• Updated CIB seven to resolve CVE in third party libraries

Technical Updates

Dependency Updates

• Update Spring Boot from 3.5.9 to 3.5.10
• Update tomcat from 10.1.49 to 10.1.52
• Update nodejs from 20.14.0 to 24.13.1
• Update npm from 10.7.0 to 11.8.0

Resolved CVE Vulnerabilities

Critical Severity

• CVE-2025-15467 - CVSS 9.8. affects 2 packages: libcrypto3, libssl3

High Severity

• CVE-2025-69419 - CVSS 7.4. affects 2 packages: libcrypto3, libssl3
• CVE-2025-69421 - CVSS 6.5. affects 2 packages: libcrypto3, libssl3
• CVE-2026-21932 - CVSS 7.4. Package: openjdk21-jre-headless
• CVE-2026-21945 - CVSS 7.5. Package: openjdk21-jre-headless

Medium Severity

• CVE-2025-11187 - CVSS 6.1. affects 2 packages: libcrypto3, libssl3
• CVE-2025-15468 - CVSS 5.9. affects 2 packages: libcrypto3, libssl3
• CVE-2025-15469 - CVSS 5.5. affects 2 packages: libcrypto3, libssl3
• CVE-2025-66199 - CVSS 5.9. affects 2 packages: libcrypto3, libssl3
• CVE-2025-68160 - CVSS 4.7. affects 2 packages: libcrypto3, libssl3
• CVE-2025-69418 - CVSS 4.0. affects 2 packages: libcrypto3, libssl3
• CVE-2025-69420 - CVSS 5.9. affects 2 packages: libcrypto3, libssl3
• CVE-2026-22795 - CVSS 5.5. affects 2 packages: libcrypto3, libssl3
• CVE-2026-22796 - CVSS 5.9. affects 2 packages: libcrypto3, libssl3
• CVE-2026-21925 - CVSS 4.8. Package: openjdk21-jre-headless
• CVE-2026-21933 - CVSS 6.1. Package: openjdk21-jre-headless

Low Severity

• CVE-2026-1225 - Package: ch.qos.logback:logback-core