CVE Daily
← All tags

Tag: Quarkus

All CVEs associated with "Quarkus". Page 1/1 • 27 CVEs.

About “Quarkus”

A curated feed of “Quarkus”-related CVEs appears below. We currently track 27 CVEs for this tag (all time). In the last 365 days, 5 were published. Average CVSS is 7.0 (all time; 6.9 over 365d), and 56% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor, CWE-863 - Incorrect Authorization, CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: quarkus-framework

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestExtended SupportEOLLTS
3.353.35.4Unavailable Soon
3.343.34.7Unavailable Expired
3.333.33.2UnavailableLTS
3.323.32.4Unavailable Expired
3.313.31.4Unavailable Expired
3.303.30.8Unavailable Expired
3.293.29.4Unavailable Expired
3.283.28.5Unavailable Expired
3.273.27.4Unavailable SoonLTS
3.263.26.4Unavailable Expired
3.253.25.4Unavailable Expired
3.243.24.5Unavailable Expired
3.233.23.4Unavailable Expired
3.223.22.3Unavailable Expired
3.213.21.4Unavailable Expired
3.203.20.6.1 ExpiredLTS
3.193.19.4Unavailable Expired
3.183.18.4Unavailable Expired
3.173.17.8Unavailable Expired
3.163.16.4Unavailable Expired
3.153.15.7 ExpiredLTS
3.143.14.4Unavailable Expired
3.133.13.3Unavailable Expired
3.123.12.3Unavailable Expired
3.113.11.3Unavailable Expired
3.103.10.2Unavailable Expired
3.93.9.5Unavailable Expired
3.83.8.6.1 ExpiredLTS
3.73.7.4Unavailable Expired
3.63.6.9Unavailable Expired
3.53.5.3Unavailable Expired
3.43.4.3Unavailable Expired
3.33.3.3Unavailable Expired
3.23.2.12 ExpiredLTS
3.13.1.3Unavailable Expired
3.03.0.4Unavailable Expired
2.162.16.12Unavailable Expired
2.152.15.3Unavailable Expired
2.142.14.3Unavailable Expired
2.132.13.9 Expired
2.122.12.3Unavailable Expired
2.112.11.3Unavailable Expired
2.102.10.4Unavailable Expired
2.92.9.2Unavailable Expired
2.82.8.3Unavailable Expired
2.72.7.7 Expired
2.62.6.3Unavailable Expired
2.52.5.4Unavailable Expired
2.42.4.2Unavailable Expired
2.32.3.1Unavailable Expired
2.22.2.5 Expired
2.12.1.4Unavailable Expired
2.02.0.3Unavailable Expired
11.13.7 Expired
00.28.1Unavailable Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Quarkus”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-05-09
Medium

CVE-2026-42333

Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to versions 2.11.1-lts, 2.16.0-lts, and 2.17.0, the generated authentication filter…

CVSS: 6.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2026-05-05
High

CVE-2026-39852

Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the sec…

CVSS: 8.2 CWE: CWE-863 - Incorrect Authorization View on NVD
2026-04-10
High

CVE-2026-40180

Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to 2.16.0 and 2.15.0-lts, the unzip() method in ApicurioCodegenWrapper.java extracts…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2026-01-07
Medium

CVE-2025-66560

Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST rela…

CVSS: 5.9 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2025-06-23
Medium

CVE-2025-49574

Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. In versions prior to 3.24.1, 3.20.2, and 3.15.6, there is a potential data leak when duplicating a duplicat…

CVSS: 6.4 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
2025-05-06
Critical

CVE-2024-12225

A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing develope…

CVSS: 9.1 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2025-02-26
High

CVE-2025-1634

A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leadi…

CVSS: 7.5 CWE: CWE-401 - Missing Release of Memory after Effective Lifetime View on NVD
2025-02-13
High

CVE-2025-1247

A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipu…

CVSS: 8.3 CWE: CWE-488 - Exposure of Data Element to Wrong Session View on NVD
2024-12-12
High

CVE-2024-12397

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exf…

CVSS: 7.4 CWE: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') View on NVD
2024-11-25
Medium

CVE-2024-10451

A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, lead…

CVSS: 5.9 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2024-10-08
Medium

CVE-2024-9621

A vulnerability was found in Quarkus CXF. Passwords and other secrets may appear in the application log in spite of the user configuring them to be hidden. This issue requires some special configura…

CVSS: 5.3 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2024-04-25
Medium

CVE-2024-1726

A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed…

CVSS: 5.3 CWE: CWE-281 - Improper Preservation of Permissions View on NVD
Medium

CVE-2023-5675

A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation p…

CVSS: 6.5 CWE: CWE-285 - Improper Authorization View on NVD
2024-04-04
High

CVE-2024-2700

A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting appli…

CVSS: 7.0 CWE: CWE-526 - Cleartext Storage of Sensitive Information in an Environment Variable View on NVD
2024-03-13
Low

CVE-2024-1979

A vulnerability was found in Quarkus. In certain conditions related to the CI process, git credentials could be inadvertently published, which could put the git repository at risk.

CVSS: 3.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-12-09
High

CVE-2023-6394

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authenti…

CVSS: 7.4 CWE: CWE-862 - Missing Authorization View on NVD
2023-12-06
Medium

CVE-2023-6393

A flaw was found in the Quarkus Cache Runtime. When request processing utilizes a Uni cached using @CacheResult and the cached Uni reuses the initial "completion" context, the processing switches to…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-11-15
High

CVE-2023-5720

A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access…

CVSS: 7.7 CWE: CWE-526 - Cleartext Storage of Sensitive Information in an Environment Variable View on NVD
2023-10-04
High

CVE-2023-1584

A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-09-20
High

CVE-2023-4853

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This is…

CVSS: 8.1 CWE: CWE-148 - Improper Neutralization of Input Leaders View on NVD
2023-07-04
Medium

CVE-2023-2974

A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the…

CVSS: 6.5 CWE: CWE-757 - Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') View on NVD
2023-02-24
Low

CVE-2023-0481

In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local…

CVSS: 3.3 CWE: CWE-378 - Creation of Temporary File With Insecure Permissions View on NVD
2023-02-23
Medium

CVE-2023-0044

If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented w…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2022-12-06
High

CVE-2022-4147

Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on t…

CVSS: 7.5 CWE: CWE-1026 View on NVD
2022-11-22
Critical

CVE-2022-4116

A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution.

CVSS: 9.8 CWE: N/A View on NVD
2022-08-31
Critical

CVE-2022-2466

It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior.

CVSS: 9.8 CWE: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') View on NVD
2022-03-23
High

CVE-2022-0981

A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operatio…

CVSS: 8.8 CWE: CWE-863 - Incorrect Authorization View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox