Security scanners may report multiple high-priority vulnerabilities within the Automic Web Interface (AWI) on older versions of 24.4. The specific vulnerabilities identified are:

• CVE-2026-1605 (GHSA-xxh7-fcf3-rj7f)
• CVE-2026-2332 (GHSA-355h-qmc2-wpwf)
• CVE-2025-5115 (GHSA-mmxm-8w33-wc4h)
• CVE-2025-48976 (GHSA-vv7r-c36w-3prj)

• Automic Workload Automation (AWA)
• Automic Web Interface (AWI) versions prior to 24.4.4

These vulnerabilities reside in third-party libraries bundled with older versions of AWI:

• Jetty: Affects CVE-2026-1605, CVE-2026-2332, and CVE-2025-5115.
• Apache Commons FileUpload: Affects CVE-2025-48976 (vulnerability found in commons-fileupload2-core-2.0.0-M1.jar).

To remediate these vulnerabilities, the Automic Web Interface (AWI) must be updated to version 24.4.4, or higher (including 26.0.0).

• Jetty Vulnerabilities (CVE-2026-1605, CVE-2026-2332, CVE-2025-5115): The vulnerable libraries are no longer used in AWI versions 24.4.4 and above.
• Apache Commons FileUpload (CVE-2025-48976): The commons-fileupload2-core library has been updated to version 2.0.0-M4 in AWI 24.4.4+, which includes the correct mitigation.  In version 26.0.0 and higher, this library is no longer used.

Note: It is not supported to upgrade or replace individual library files (e.g., .jar files) independently. A full AWI upgrade is required to ensure all dependencies are correctly aligned and the vulnerabilities are fully mitigated.