Looking up the CVE entry for this (Apache Commons Text vulnrability) the GSM lists under “vulnerable products” cpe:/a:apache:commons_text:1.10.0 which is the fixed version. The vulnerable versions are 1.5 to 1.9 Is this wrong in the CVE database or should it be read differently?

Hi, this issue should be fixed with the next feed update (around 14h CET today) and requires running greenbone-feed-sync --type SCAP.