quarkus

Top products

The 15 most recently published vulnerabilities affecting quarkus.

• CVE-2026-39852Quarkus authorization bypass via semicolon path normalization inconsistency8.2May 5, 2026
• CVE-2025-66560Quarkus REST has potential worker thread starvation when HTTP connection is closed while waiting to write5.9Jan 7, 2026
• CVE-2024-12225Io.quarkus:quarkus-security-webauthn: quarkus webauthn unexpected authentication bypass9.1May 6, 2025
• CVE-2023-6267Quarkus: json payload getting processed prior to security checks when rest resources are used with annotations.8.6Jan 25, 2024
• CVE-2023-6394Quarkus: graphql operations over websockets bypass7.4Dec 9, 2023
• CVE-2023-5720Quarkus: build env information disclosure via gradle plugin7.7Nov 15, 2023
• CVE-2023-1584Quarkus-oidc: id and access tokens leak via the authorization code flow7.5Oct 4, 2023
• CVE-2023-4853Quarkus: http security policy bypass8.1Sep 20, 2023
• CVE-2023-0481In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a loc...3.3Feb 24, 2023
• CVE-2023-0044If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented...6.1Feb 23, 2023
• CVE-2022-4147Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on...7.5Dec 6, 2022
• CVE-2022-4116A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution.9.8Nov 22, 2022
• CVE-2022-42004In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An applicat...7.5Oct 2, 2022
• CVE-2022-42003In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting...7.5Oct 2, 2022
• CVE-2022-2466It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior.9.8Aug 31, 2022