diff --git a/sonarqube.advisories.yaml b/sonarqube.advisories.yaml
index e63c5014d7..33865342d6 100644
--- a/sonarqube.advisories.yaml
+++ b/sonarqube.advisories.yaml
@@ -219,6 +219,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/sonarqube/lib/extensions/sonar-iac-plugin-1.47.0.15287.jar
             scanner: grype
+      - timestamp: 2025-07-17T19:28:51Z
+        type: pending-upstream-fix
+        data:
+          note: Upstream needs to upgrade multiple instances of commons-lang3 in plugins that are used in main package. Attempts to update didn't address CVE issues
 
   - id: CGA-jg27-23w9-m7hp
     aliases:
@@ -303,6 +307,10 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/sonarqube/elasticsearch/modules/x-pack-security/nimbus-jose-jwt-modified-8.16.3.jar
             scanner: grype
+      - timestamp: 2025-07-17T19:25:09Z
+        type: pending-upstream-fix
+        data:
+          note: Upstream needs to upgrade multiple instances of nimbus-jose-jwt in plugins that are used in main package.
 
   - id: CGA-rmgj-x5xj-3c37
     aliases: