CVE-2026-39852 Quarkus authorization bypass via semicolon path normalization inconsistency

Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP...

Quarkus 安全漏洞

Quarkus is an open-source cloud-native Linux framework for writing Java applications. Quarkus has a security vulnerability that stems from inconsistent path normalization between the security layer and the routing layer. This vulnerability allows unauthenticated or low-privilege users to bypass...

ai.timefold.solver:timefold-solver-quarkus-benchmark-integration-test (>=0.8.38 <=1.20.1), ai.timefold.solver:timefold-solver-quarkus-devui-integration-test (>=0.8.38 <=1.20.1) +2515 more potentially affected by CVE-2026-39852 via io.quarkus:quarkus-vertx-http (>=0.23.0 <=3.20.6)

io.quarkus:quarkus-vertx-http MAVEN version =0.23.0, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.8.38, =0.0.1, =0.0.1, =0.0.1, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.2, =0.0.5 and more Source cves: CVE-2026-39852 Source advisory: OSV:GHSA-RC95-PCM8-65V9...

Security Bulletin: Vulnerabilities in Quarkus affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Potential vulnerability in Quarkus has been identified that affects IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2025-66560 DESCRIPTION: Quarkus ...

Security Bulletin: Vulnerabilities in Quarkus affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Potential vulnerability in Quarkus has been identified that affects IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2025-49574 DESCRIPTION: Quarkus ...

Security Bulletin: Vulnerabilities in Quarkus affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Potential vulnerability in Quarkus has been identified that affects IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2025-49574 DESCRIPTION: Quarkus ...

EUVD-2024-0859

Malicious code in bioql PyPI...

EUVD-2024-1194

Malicious code in bioql PyPI...

CVE-2024-12225

A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST endpoints, the default...

CVE-2024-1979

A vulnerability was found in Quarkus. In certain conditions related to the CI process, git credentials could be inadvertently published, which could put the git repository at risk...

Quarkus Security Vulnerabilities

Quarkus is a cloud-native Linux container-first framework for writing Java applications. A security vulnerability exists in Quarkus that stems from when a request is received via websocket and role-based permissions are not specified on a GraphQL operation, Quarkus processes the request without...

Quarkus Security Vulnerabilities

Quarkus is a cloud-native Linux container-first framework for writing Java applications. A security vulnerability exists in Quarkus. An attacker could exploit this vulnerability to gain access to sensitive data...

quarkus: HTTP security policy bypass

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized...

Quarkus Security Vulnerabilities

Quarkus is a cloud-native Linux container-first framework for writing Java applications. A security vulnerability exists in Quarkus that stems from not properly cleaning artifacts created using the Gradle plugin, which allows for the retention of certain build system information, allowing an...

com.abavilla:fpi-bot-api (>=1.0.2 <=1.5.0), com.abavilla:fpi-bot-api-core (>=1.0.2 <=1.3.1) +38 more potentially affected by CVE-2023-4853 via io.quarkus:quarkus-keycloak-authorization (>=0.27.0 <=2.16.10.Final)

io.quarkus:quarkus-keycloak-authorization MAVEN version =0.27.0, =1.0.2, =1.0.2, =1.0.2, =1.3.2, =1.0.132, =1.0.132, =1.0.133, =1.0.42, =1.0.42, =1.0.42, =1.3.2, =1.0.22, =1.0.22, =1.0.22, =1.3.3, =1.7.1 and more Source cves: CVE-2023-4853 Source advisory: OSV:GHSA-4F4R-WGV2-JJVG...

ai.aletyx.kogito:aletyx-kogito-ai-addons-quarkus-adhoc-subprocess (>=0.1.0 <=0.2.0), ai.aletyx.kogito:aletyx-kogito-ai-addons-quarkus-adhoc-subprocess-storage-jpa (>=0.1.0 <=0.2.0) +1898 more potentially affected by CVE-2023-4853 via io.quarkus:quarkus-vertx-http (>=3.0.0.Alpha1 <=3.2.5.Final)

io.quarkus:quarkus-vertx-http MAVEN version =3.0.0.Alpha1, =0.1.0, =0.1.0, =0.0.2, =0.1.1, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.10 and more Source cves: CVE-2023-4853 Source advisory: OSV:GHSA-4F4R-WGV2-JJVG...

Quarkus Security Vulnerabilities

Quarkus is a cloud-native Linux container-first framework for writing Java applications. A security vulnerability exists in Quarkus that stems from one of the HTTP security policies failing to properly clean up certain character alignments when accepting a request, resulting in incorrect privileg...

Quarkus 安全漏洞

Quarkus is a cloud-native Linux container-first framework for writing Java applications. A security vulnerability exists in Quarkus that stems from the unenforced use of the TLS protocol and the ability of a client to force an option to support a weaker TLS protocol...

CVE-2022-4116

A vulnerability was found in quarkus. This issue occurs in Dev UI Config Editor, which is vulnerable to drive-by localhost attacks leading to remote code execution...

CVE-2022-2466

It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior...