Overview

If you believe you have discovered a security vulnerability in our software, please contact us immediately at security@jahia.com. We take security seriously and appreciate your help in keeping our products safe.

This section of the Academy is here to help you understand how Jahia approaches product security. It details how we manage vulnerabilities, what information we publish, and how to use the materials we provide (advisories, CVE analysis, SBOMs, VEX) in your own security and compliance workflows.

Security at Jahia is treated as a continuous lifecycle. We build with security in mind, monitor after release, and adjust as new information emerges. When potential issues arise—whether in our own code or in third‑party components—we assess their relevance in the context of real Jahia deployments before deciding on remediation or publication. Not every upstream CVE translates into product risk; the analysis work we publish is intended to make that distinction clear.

To support automation and supply chain transparency, we also publish machine‑readable outputs: SBOMs so you can align your internal inventory with what we ship, and VEX documents so you can quickly suppress non‑applicable findings in your vulnerability management tools. The statuses you see in human‑readable tables align with the entries in these files.

We encourage responsible reporting. If you believe you have identified a security issue, please follow the private reporting instructions in the Vulnerability Handling section rather than posting details publicly.