As raised by Glenn Lewis in
we use a Commons Collections 3.2.1 which has a CVSS 10.0 remote code execution vulnerability.
This affects anyone who has Commons Collection on the classpath - basically through Maven dependencies at would mean also anyone who has the Taverna SCUFL2 API on the classpath.
This does not affect just Taverna Server - but also indirectly as Commons Collection is also a transitive dependency, e.g. from commons-beanutils:
Thus we should update taverna-maven-parent - perhaps to have a <dependencyManagement> section - to force a newer version of commons-collections across the board.