diff --git a/CVE-2022-41704.patch b/CVE-2022-41704.patch
new file mode 100644
index 0000000..1e5a1d4
--- /dev/null
+++ b/CVE-2022-41704.patch
@@ -0,0 +1,30 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sat, 29 Oct 2022 08:28:58 +0200
+Subject: CVE-2022-41704
+
+Origin: http://svn.apache.org/viewvc?view=revision&revision=1904320
+---
+ .../src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java   | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
+index cab8e0e..a3daa0d 100644
+--- a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
++++ b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
+@@ -19,6 +19,7 @@
+ package org.apache.batik.bridge;
+ 
+ import org.apache.batik.util.ParsedURL;
++import static org.apache.batik.util.SVGConstants.SVG_SCRIPT_TYPE_JAVA;
+ 
+ /**
+  * Default implementation for the <code>ScriptSecurity</code> interface.
+@@ -76,7 +77,7 @@ public class DefaultScriptSecurity implements ScriptSecurity {
+                                  ParsedURL docURL){
+         // Make sure that the archives comes from the same host
+         // as the document itself
+-        if (docURL == null) {
++        if (docURL == null || SVG_SCRIPT_TYPE_JAVA.equals(scriptType)) {
+             se = new SecurityException
+                 (Messages.formatMessage(ERROR_CANNOT_ACCESS_DOCUMENT_URL,
+                                         new Object[]{scriptURL}));
diff --git a/CVE-2022-42890.patch b/CVE-2022-42890.patch
new file mode 100644
index 0000000..3c5b6da
--- /dev/null
+++ b/CVE-2022-42890.patch
@@ -0,0 +1,41 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sat, 29 Oct 2022 08:13:38 +0200
+Subject: CVE-2022-42890
+
+Origin: http://svn.apache.org/viewvc?view=revision&revision=1904549
+---
+ .../main/java/org/apache/batik/script/rhino/RhinoClassShutter.java | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
+index 3f95e5d..733061a 100644
+--- a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
++++ b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
+@@ -19,6 +19,8 @@
+ package org.apache.batik.script.rhino;
+ 
+ import org.mozilla.javascript.ClassShutter;
++import java.util.Arrays;
++import java.util.List;
+ 
+ /**
+  * Class shutter that restricts access to Batik internals from script.
+@@ -27,6 +29,7 @@ import org.mozilla.javascript.ClassShutter;
+  * @version $Id: RhinoClassShutter.java 1733416 2016-03-03 07:07:13Z gadams $
+  */
+ public class RhinoClassShutter implements ClassShutter {
++    private static final List<String> WHITELIST = Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL");
+ 
+     /*
+     public RhinoClassShutter() {
+@@ -55,6 +58,10 @@ public class RhinoClassShutter implements ClassShutter {
+      * Returns whether the given class is visible to scripts.
+      */
+     public boolean visibleToScripts(String fullClassName) {
++        if (fullClassName.startsWith("java.") && !WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission")) {
++            return false;
++        }
++
+         // Don't let them mess with script engine's internals.
+         if (fullClassName.startsWith("org.mozilla.javascript"))
+             return false;
diff --git a/batik.spec b/batik.spec
index 70b98b5..bb46c00 100644
--- a/batik.spec
+++ b/batik.spec
@@ -1,7 +1,7 @@
 %global classpath batik:xml-commons-apis:xml-commons-apis-ext:xmlgraphics-commons
 Name:           batik
 Version:        1.10
-Release:        6
+Release:        7
 Summary:        Batik is an inline templating engine for CoffeeScript
 License:        Apache-2.0 and W3C and MPL-1.1 and GPL-2.0-or-later and Apache-1.1
 URL:            https://xmlgraphics.apache.org/batik/
@@ -11,6 +11,8 @@ Source1:        %{name}-security.policy
 Patch1:         0001-Fix-imageio-codec-lookup.patch
 Patch6000:      CVE-2019-17566.patch
 Patch6001:      CVE-2020-11987.patch
+Patch6002:      CVE-2022-41704.patch
+Patch6003:      CVE-2022-42890.patch
 
 BuildArch:      noarch
 
@@ -122,6 +124,9 @@ cp -a samples %{buildroot}/%{_datadir}/%{name}/
 %doc CHANGES MAINTAIN README NOTICE
 
 %changelog
+* Wed Dec 28 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 1.10-7
+- Fix CVE-2022-41704 and CVE-2022-42890
+
 * Wed Mar 31 2021 lingsheng <lingsheng@huawei.com> - 1.10-6
 - Remove unneeded rhino and jai_imageio in classpath