Quarkus
This hub aggregates every CVE we track for Quarkus, a product in the operating systems space. Use it to gauge the current risk picture and drill into individual advisories.
52
CVEs tracked
4
Critical
23
High
0
In CISA KEV
Severity distribution
HIGH23MEDIUM23CRITICAL4LOW2
Monthly trend
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
1
0
0
0
1
1
0
2024-082026-07
Latest CVEs
The 15 most recently published vulnerabilities affecting Quarkus.
- CVE-2026-50559Authentication/Authorization Bypass via Advanced Path Normalization Vulnerabilities7.5
- CVE-2026-39852Quarkus authorization bypass via semicolon path normalization inconsistency8.2
- CVE-2025-66560Quarkus REST has potential worker thread starvation when HTTP connection is closed while waiting to write5.9
- CVE-2025-49574Quarkus potential data leak when duplicating a duplicated context6.4
- CVE-2024-12225Io.quarkus:quarkus-security-webauthn: quarkus webauthn unexpected authentication bypass9.1
- CVE-2024-1726Quarkus: security checks for some inherited endpoints performed after serialization in resteasy reactive may trigger a denial of service5.3
- CVE-2023-6267Quarkus: json payload getting processed prior to security checks when rest resources are used with annotations.8.6
- CVE-2023-6394Quarkus: graphql operations over websockets bypass7.4
- CVE-2023-5720Quarkus: build env information disclosure via gradle plugin7.7
- CVE-2023-1584Quarkus-oidc: id and access tokens leak via the authorization code flow7.5
- CVE-2023-4853Quarkus: http security policy bypass8.1
- CVE-2023-2974Quarkus-core: tls protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported tls protocol6.5
- CVE-2023-0481In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a loc...3.3
- CVE-2023-0044If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented...6.1
- CVE-2022-4147Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on...7.5
Product normalization is registry-driven with AI assist and human review. How it works