There is a dependency in gwt on tapestry:tapestry:4.0.2, while this version is outdated and has vulnerability: https://devhub.checkmarx.com/cve-details/CVE-2020-17531/

Probably better to update it to tapestry version 5.

As Colin already mentioned in gitter, tapestry is only used for client compile time codegen, so it shouldn't affect any server code, and attacking it should be hard.

Fwiw, GWT only uses org.apache.tapestry.util.text.LocalizedProperties/LocalizedPropertiesLoader (and the other classes they themselves use), but tapestry on Central is not modular so GWT as deployed on Central gets the full tapestry, while it's built with a JAR that only contains the few classes it needs.
It might be better to either copy the code into GWT (repackage the trimmed JAR and include the classes in the gwt-user.jar –I have no idea why it's declared as a dependency of gwt-dev, it's only used in gwt-user) or rewrite/replace it. It looks like those classes were only there to be able to load properties files as UTF-8 rather than ISO-8859-1, but this is now possible using java.util.Properties directly.