Hi, I've created the release/5.6.x branch and drafted a dependency update PR: https://github.com/apache/jmeter/pull/6701
We plan to release JMeter 6.0 in the near future. It would be great for users to have a security-improved 5.6 in the meantime so they don’t have to rush to 6.0 just for the CVE fixes. Scope of the PR: only dependency version bumps that close known CVEs, no source-level refactoring beyond what the bumps require. The full test suite (JDK 8 toolchain) is green locally. One CVE is intentionally not fixed: tika-core CVE-2025-66516. The fix ships only in Tika 3.x, which targets Java 11 and would break the 5.6.x Java 8 hard rule. Details and accepted risk are in the PR description. If you can spin up the branch against your own JMX scenarios (even a smoke run) that would help a lot before we merge. Thanks! Vladimir
