The 1.4.x version is actively maintained.
| Version | Supported |
|---|---|
| 1.4.x | ✅ |
| < 1.4.0 | ❌ |
If you have identified a security issue, ask on the XStream mailing list for access to the XStream Security list and you will receive an invitation. Send a security report there with details to reproduce the problem with the latest XStream version.
Note, that XStream cares about security issues with XStream itself or in combination with the Java runtime, but not with 3rd party libraries. It is in the resposibility of each developer who brings those libraries together to setup the XStream Security Framework properly.