in our project, we're checking JAR dependencies with the OWASP
dependency check  for security issues for which CVEs have been reported.
There are CVEs for some of Solr's third-party dependencies in version
7.6.0, and I wonder if you have plans to update these to unaffected
versions. I don't know if these CVEs affect Solr, but event if they
don't, IMHO it would be good to update them so that users don't need to
analyze the reports in detail.
This is what I found for solr-core Maven dependencies:
As that page states, if you believe that one of the CVEs are really exploitable in Solr, then please attempt to describe why you believe Solr is vulnerable, and send a report to [hidden email] <mailto:[hidden email]> and/or file a private JIRA issue. Do not explain a new vulnerability on open mailing lists.
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com