Hi Vivek,
On June 25th, Apache Kafka 4.3.1 was released and is available for use
Of the CVEs you mentioned:
Kafka Core
- CVE-2026-41115 -> Fixed in 4.3.1 (documentation update)
OpenTelemetry
- CVE-2026-39882 -> seems to refer to opentelemetry-go and we use
opentelemetry-proto only
- CVE-2026-41078 -> seems to refer to opentelemetry-dotnet, we use
opentelemetry-proto only
- CVE-2026-40894 -> seems to refer to opentelemetry-dotnet, we use
opentelemetry-proto only
- CVE-2026-44967 -> seems to refer to opentelemetry-c++, we use
opentelemetry-proto only
JLine
- GHSA-2r2c-cx56-8933 -> seems to refer to JLine-telnet. We don't use this
submodule
- GHSA-47qp-hqvx-6r3f -> seems to refer to JLine-telnet. We don't use this
submodule
- XRAY-1005950 and XRAY-1005951 -> these appear to be JFrog Xray internal
database identifiers rather than CVEs, so we can't look them up publicly.
Could you share the affected component and version fr...