Security Bulletin: There is a vulnerability in vertx-core-4.5.24.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-6860)

Summary There is a vulnerability in vertx-core-4.5.24.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-6860 DESCRIPTION: A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepte...

Security Bulletin: IBM SPSS Analytic Server is affected by a Vert.x Web Static Handler cache manipulation vulnerability (CVE-2026-1002)

Summary IBM SPSS Analytic Server is affected by a Vert.x Web Static Handler cache manipulation vulnerability CVE-2026-1002. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2026-1002 DESCRIPTION: The Vert.x Web static handler component cache can be manipulated t...

io.quarkus:quarkus-vertx-http-deployment (>=2.11.0.CR1 <=3.3.3) potentially affected by CVE-2026-41159 via org.webjars.npm:mermaid (>=9.1.1 <=9.4.0)

org.webjars.npm:mermaid MAVEN version =9.1.1, =2.11.0.CR1, =3.3.3 Source cves: CVE-2026-41159 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-16642056...

io.quarkus:quarkus-vertx-http-deployment (>=2.11.0.CR1 <=3.3.3) potentially affected by CVE-2026-41150 via org.webjars.npm:mermaid (>=9.1.1 <=9.4.0)

org.webjars.npm:mermaid MAVEN version =9.1.1, =2.11.0.CR1, =3.3.3 Source cves: CVE-2026-41150 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-16642041...

io.quarkus:quarkus-vertx-http-deployment (>=2.11.0.CR1 <=3.3.3) potentially affected by CVE-2026-41149 via org.webjars.npm:mermaid (>=9.1.1 <=9.4.0)

org.webjars.npm:mermaid MAVEN version =9.1.1, =2.11.0.CR1, =3.3.3 Source cves: CVE-2026-41149 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-16642051...

io.quarkus:quarkus-vertx-http-deployment (>=2.11.0.CR1 <=3.3.3) potentially affected by CVE-2026-41148 via org.webjars.npm:mermaid (>=9.1.1 <=9.4.0)

org.webjars.npm:mermaid MAVEN version =9.1.1, =2.11.0.CR1, =3.3.3 Source cves: CVE-2026-41148 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-16642045...

ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.3), ai.agentican:agentican-quarkus-metrics (>=0.1.0-alpha.1 <=0.1.0-alpha.3) +4683 more potentially affected by CVE-2026-6860 via io.vertx:vertx-core (>=4.5.0 <=4.5.25)

io.vertx:vertx-core MAVEN version =4.5.0, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0, =0.1.0, =0.0.86, =0.0.86, =0.0.86, =def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91 - ai.pipestream.module:module-chunk...

ai.stapi:arango-axon (>=0.0.1 <=0.0.2), ai.stapi:arango-graph (>=0.0.1 <=0.0.2) +3010 more potentially affected by CVE-2026-6860 via io.vertx:vertx-core (>=4.4.0 <=4.4.9)

io.vertx:vertx-core MAVEN version =4.4.0, =0.0.1, =0.0.1, =0.9.39, =0.9.39, =0.9.39, =0.9.39, =0.9.39, =0.9.39, =0.9.39, =0.9.39, =0.9.39, =0.9.39, =23.3.0, =23.3.0, =23.3.0, =23.9.1 and more Source cves: CVE-2026-6860 Source advisory: OSV:GHSA-3G76-F9XQ-8VP6...

Vert.x has a DoS via unbounded server-side SNI SslContext cache growth

Potential unbounded server-side SNI SslContext cache growth in Vert.x TLS handling, with = resource-exhaustion / DoS impact. On affected versions, matching server-side SNI names are cached via computeIfAbsentserverName, ... in a serverName-keyed SslContext cache. The implementation differs slight...

ai.tock:bot-test (>=25.9.0 <=26.3.1), ai.tock:bot-test-base (>=25.9.0 <=26.3.1) +773 more potentially affected by CVE-2026-6860 via io.vertx:vertx-core (>=5.0.0 <=5.0.8)

io.vertx:vertx-core MAVEN version =5.0.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =25.9.0, =26.3.1 and more Source cves: CVE-2026-6860 Source advisory: OSV:GHSA-3G76-F9XQ-8VP6...

GHSA-3G76-F9XQ-8VP6 Vert.x has a DoS via unbounded server-side SNI SslContext cache growth

Potential unbounded server-side SNI SslContext cache growth in Vert.x TLS handling, with = resource-exhaustion / DoS impact. On affected versions, matching server-side SNI names are cached via computeIfAbsentserverName, ... in a serverName-keyed SslContext cache. The implementation differs slight...

Allocation of Resources Without Limits or Throttling

Overview io.vertx:vertx-core is a tool-kit for building reactive applications on the JVM. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling during the TLS handshake process, where the SslContext cache can be forced to grow indefinitely. The...

ai.tock:bot-test (=26.3.1), ai.tock:bot-test-base (=26.3.1) +437 more potentially affected by CVE-2026-6860 via io.vertx:vertx-core (>=5.0.0.CR1 <=5.0.11)

io.vertx:vertx-core MAVEN version =5.0.0.CR1, =5.0.11 is affected by a known vulnerability. The following packages have a transitive dependency on io.vertx:vertx-core and may be impacted: - ai.tock:bot-test =26.3.1 - ai.tock:bot-test-base =26.3.1 - ai.tock:bot-toolkit =26.3.1 -...

ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.3), ai.agentican:agentican-quarkus-metrics (>=0.1.0-alpha.1 <=0.1.0-alpha.3) +6304 more potentially affected by CVE-2026-6860 via io.vertx:vertx-core (>=4.3.4 <=4.5.26)

io.vertx:vertx-core MAVEN version =4.3.4, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0, =0.1.0, =0.0.86, =0.0.86, =0.0.86, =def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91 - ai.pipestream.module:module-chunk...

Eclipse Vert.x 安全漏洞

Eclipse Vert.x is a toolkit developed by the Eclipse Foundation for building responsive applications on the JVM. There is a security vulnerability in Eclipse Vert.x, which stems from the fact that the TCP client can perform TLS handshakes and present server name extensions. These server name...

io.quarkus:quarkus-vertx-http: io.quarkus:quarkus-vertx-http: Authorization bypass via semicolons in HTTP requests

A flaw was found in io.quarkus:quarkus-vertx-http. A remote attacker can exploit an authorization bypass vulnerability by including semicolons, also known as matrix parameters, in HTTP requests. This allows bypassing path-based HTTP security policies, enabling unauthorized access to protected...

Important: Red Hat Security Advisory: Red Hat Build of Apache Camel 4.14 for Quarkus 3.27 update is now available (RHBQ 3.27.3.SP1)

An update for Red Hat Build of Apache Camel 4.14 for Quarkus 3.27 update is now available RHBQ 3.27.3.SP1. The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products. Red Hat Product...

io.quarkus:quarkus-vertx-http: io.quarkus:quarkus-vertx-http: Authorization bypass via semicolons in HTTP requests

A flaw was found in io.quarkus:quarkus-vertx-http. A remote attacker can exploit an authorization bypass vulnerability by including semicolons, also known as matrix parameters, in HTTP requests. This allows bypassing path-based HTTP security policies, enabling unauthorized access to protected...

io.quarkus:quarkus-vertx-http: io.quarkus:quarkus-vertx-http: Authorization bypass via semicolons in HTTP requests

A flaw was found in io.quarkus:quarkus-vertx-http. A remote attacker can exploit an authorization bypass vulnerability by including semicolons, also known as matrix parameters, in HTTP requests. This allows bypassing path-based HTTP security policies, enabling unauthorized access to protected...

CVE-2026-39852

A flaw was found in io.quarkus:quarkus-vertx-http. A remote attacker can exploit an authorization bypass vulnerability by including semicolons, also known as matrix parameters, in HTTP requests. This allows bypassing path-based HTTP security policies, enabling unauthorized access to protected...