diff --git a/CVE-2023-36479.patch b/CVE-2023-36479.patch
new file mode 100644
index 0000000000000000000000000000000000000000..56ec85ef0cb4f4426c088f936c037fa5960574a2
--- /dev/null
+++ b/CVE-2023-36479.patch
@@ -0,0 +1,52 @@
+From ec7e1fd173481e526db4092f558aa2b5aab57580 Mon Sep 17 00:00:00 2001
+From: Simone Bordet <simone.bordet@gmail.com>
+Date: Thu, 8 Jun 2023 10:18:54 +0200
+Subject: [PATCH] Fixes #9887 - Deprecate CGI Servlet. (#9888)
+
+Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
+---
+ .../main/java/org/eclipse/jetty/servlets/CGI.java    |  3 +++
+ .../src/main/webapp/WEB-INF/web.xml                  | 12 ------------
+ 2 files changed, 3 insertions(+), 12 deletions(-)
+
+diff --git a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/CGI.java b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/CGI.java
+index 9236825cc0..6454540fe3 100644
+--- a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/CGI.java
++++ b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/CGI.java
+@@ -67,7 +67,10 @@ import org.eclipse.jetty.util.log.Logger;
+  * <dt>ignoreExitState</dt>
+  * <dd>If true then do not act on a non-zero exec exit status")</dd>
+  * </dl>
++ *
++ * @deprecated do not use, no replacement, will be removed in a future release.
+  */
++@Deprecated
+ public class CGI extends HttpServlet
+ {
+     private static final long serialVersionUID = -6182088932884791074L;
+diff --git a/tests/test-webapps/test-jetty-webapp/src/main/webapp/WEB-INF/web.xml b/tests/test-webapps/test-jetty-webapp/src/main/webapp/WEB-INF/web.xml
+index 05e4f1d4f6..ef7e27930b 100644
+--- a/tests/test-webapps/test-jetty-webapp/src/main/webapp/WEB-INF/web.xml
++++ b/tests/test-webapps/test-jetty-webapp/src/main/webapp/WEB-INF/web.xml
+@@ -121,18 +121,6 @@
+     <url-pattern>/dispatch/*</url-pattern>
+   </servlet-mapping>
+   
+-  <servlet>
+-    <servlet-name>CGI</servlet-name>
+-    <servlet-class>org.eclipse.jetty.servlets.CGI</servlet-class>
+-    <load-on-startup>1</load-on-startup>
+-    <async-supported>true</async-supported>
+-  </servlet>
+-  
+-  <servlet-mapping>
+-    <servlet-name>CGI</servlet-name>
+-    <url-pattern>/cgi-bin/*</url-pattern>
+-  </servlet-mapping>
+-  
+   <servlet>
+     <servlet-name>Chat</servlet-name>
+     <servlet-class>com.acme.ChatServlet</servlet-class>
+-- 
+2.42.0.windows.2
+
diff --git a/jetty.spec b/jetty.spec
index fd46985af37abe0f32eb653e89657f2625fb8fb9..0c0b2bf9c37cf9a29ef8a1cb3b2679324aa3d1aa 100644
--- a/jetty.spec
+++ b/jetty.spec
@@ -12,7 +12,7 @@
 %bcond_with     jp_minimal
 Name:                jetty
 Version:             9.4.16
-Release:             3
+Release:             4
 Summary:             Java Webserver and Servlet Container
 License:             ASL 2.0 or EPL-1.0 or EPL-2.0
 URL:                 http://www.eclipse.org/jetty/
@@ -28,6 +28,7 @@ Patch3:              CVE-2021-28169.patch
 Patch4:              CVE-2021-34428.patch
 Patch5:              CVE-2022-2047.patch
 Patch6:              CVE-2022-2048.patch
+Patch7:              CVE-2023-36479.patch
 
 BuildRequires:       maven-local mvn(javax.servlet:javax.servlet-api)
 BuildRequires:       mvn(org.apache.felix:maven-bundle-plugin)
@@ -788,6 +789,9 @@ exit 0
 %license LICENSE NOTICE.txt LICENSE-MIT
 
 %changelog
+* Wed Dec 20 2023 ZileYao <yaozile@xfusion.com> - 9.4.16-4
+- Fix CVE-2023-36479
+
 * Wed Dec 28 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 9.4.16-3
 - Fix CVE-2022-2047 and CVE-2022-2048