Note that for it to be exploitable in ESAPI, you would have had to add the 'preserveComments' directive set in ESAPI's AntiSamy policy file, antisamy-esapi.xml. By default, that directive is not present in ESAPI and IMHO, I can't think of any valid use case where you would ever need it.
A new ESAPI release is being planned, but AntiSamy 1.7.5 is causing some convergence issues so Matt, Jeremiah, and I have a few decisions to make. We will also probably need to make some minor tweaks to our regression tests for AntiSamy before doing a release.
For those of you who have SCA tools that are squawking about CVE-2024-23635 in regards to ESAPI, you can either mark it as a False Positive (unless you have added the 'preserveComments' directive to antisamy-esapi.xml) or you can exclude AntiSamy 1.7.4 in your ESAPI dependency and force 1.7.5 to be used. (Although, as noted, you will want to recheck your regression tests.)
But, please do not send Matt or I emails or create GitHub Discussions about this. We are aware and are working on it.
Thanks for your patience in this matter,
-kevin