VYPR

Quarkus

by Quarkusio

Source repositories

CVEs (18)

  • CVE-2026-50559impJun 17, 2026
    risk 0.49cvss 7.5epss 0.00

    io.quarkus/quarkus-vertx-http: Quarkus: Authorization bypass in HTTP path-based policies via encoded characters

  • CVE-2025-1247HigFeb 13, 2025
    risk 0.47cvss 8.3epss 0.01

    A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.

  • CVE-2026-39852HigMay 5, 2026
    risk 0.46cvss 8.2epss 0.00

    Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged…

  • CVE-2025-1634HigFeb 26, 2025
    risk 0.42cvss 7.5epss 0.01

    A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to…

  • CVE-2024-12397HigDec 12, 2024
    risk 0.41cvss 7.4epss 0.01

    A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values,…

  • CVE-2024-2700HigApr 4, 2024
    risk 0.39cvss 7.0epss 0.00

    A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment…

  • CVE-2025-49574MedJun 23, 2025
    risk 0.35cvss 6.4epss 0.00

    Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. In versions prior to 3.24.1, 3.20.2, and 3.15.6, there is a potential data leak when duplicating a duplicated context. Quarkus extensively uses the Vert.x duplicated context to implement…

  • CVE-2023-5675MedApr 25, 2024
    risk 0.35cvss 6.5epss 0.00

    A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is…

  • CVE-2024-1726MedApr 25, 2024
    risk 0.28cvss 5.3epss 0.01

    A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed while the HTTP request is checked. In certain configurations, if an attacker has…

  • CVE-2024-1979LowMar 13, 2024
    risk 0.16cvss 3.5epss 0.01

    A vulnerability was found in Quarkus. In certain conditions related to the CI process, git credentials could be inadvertently published, which could put the git repository at risk.

  • CVE-2022-2466Aug 31, 2022
    risk 0.01cvss epss 0.01

    It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior.

  • CVE-2025-66560Jan 7, 2026
    risk 0.00cvss epss 0.00

    Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits…

  • CVE-2024-12225May 6, 2025
    risk 0.00cvss epss 0.00

    A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST…

  • CVE-2023-5720Nov 15, 2023
    risk 0.00cvss epss 0.01

    A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application.

  • CVE-2023-1584Oct 4, 2023
    risk 0.00cvss epss 0.01

    A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data…

  • CVE-2022-4147Dec 6, 2022
    risk 0.00cvss epss 0.01

    Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on the object returned by the XMLHttpRequest upload property and have no…

  • CVE-2022-4116Nov 22, 2022
    risk 0.00cvss epss 0.33

    A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution.

  • CVE-2022-0981Mar 23, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operations on the database with a different set of privileges than intended.