Looks like there was an remote code execution CVE in Apache Jena versions 4.7.0 and below: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22665
There’s discussion of it https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s but oddly enough I don’t see any explicit mention of it in the Jena changelogs or any of the issue trackers
But real question - since when can you do JavaScript scripting in SPARQL in the first place?!?
I’m assuming it’ll be via a custom function or something