CVE-2026-39852

< 3.20.6.1

Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3

8.2HIGH

CVE-2025-66560

< 3.20.5

Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and

5.9MEDIUM

CVE-2024-12225

< 3.15.3.1

A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST e

9.1CRITICAL

CVE-2023-6267

< 2.13.9

A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resou

8.6HIGH

CVE-2023-6394

< 3.6.0

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on

7.4HIGH

CVE-2023-5720

>= 3.0.1 and < 3.2.8

A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build

7.7HIGH

CVE-2023-1584

< 2.13.8

A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP

7.5HIGH

CVE-2023-4853

< 2.16.11

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when acceptin

8.1HIGH

CVE-2023-0481

< 2.16.1

In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creat

3.3LOW

CVE-2023-0044

< 2.13.7

If the Quarkus Form Authentication session cookie Path attribute is set to / then a cross-site attack may be initiated which mig

6.1MEDIUM

CVE-2022-4147

>= 2.0 and < 2.13.5

Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLH

7.5HIGH

CVE-2022-4116

< 2.13.5

A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost

9.8CRITICAL

CVE-2022-42004

< 2.13.0

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deser

7.5HIGH

CVE-2022-42003

< 2.13.3

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check i

7.5HIGH

CVE-2022-2466

>= 2.10.0 and < 2.10.4

It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior.

9.8CRITICAL

CVE-2022-0981

< 2.7.1

A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy

8.8HIGH

CVE-2022-21724

< 2.7.2

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing sec

7.0HIGH

CVE-2022-21363

< 2.7.0

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8

6.6MEDIUM

CVE-2021-43797

< 2.5.3

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protoco

6.5MEDIUM

CVE-2021-2471

< 2.2.4

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8

5.9MEDIUM

CVE-2021-37137

< 2.2.4

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also

7.5HIGH

CVE-2021-37136

< 2.2.4

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects th

7.5HIGH

CVE-2021-38153

< 2.2.4

Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make

5.9MEDIUM

CVE-2021-37714

<= 2.2.3

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vu

7.5HIGH

CVE-2021-3642

<= 2.1.4

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where Scra

5.3MEDIUM

CVE-2021-28170

< 2.3.0

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressi

5.3MEDIUM

CVE-2020-25724

< 1.11.2

A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided. This flaw allows an attacker to gain acc

4.3MEDIUM

CVE-2021-26291

< 1.13.5

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to s

9.1CRITICAL

CVE-2021-29428

<= 2.2.3

In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow

8.8HIGH

CVE-2021-29427

<= 2.2.3

In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or depende

8.0HIGH

CVE-2021-29429

<= 2.2.3

In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to acces

4.0MEDIUM

CVE-2021-21409

<= 1.13.7

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high perfor

5.9MEDIUM

CVE-2021-20289

< 1.13.4

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as pa

5.3MEDIUM

CVE-2021-21295

<= 1.13.7

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high perfor

5.9MEDIUM

CVE-2021-20328

< 1.13.3

Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name ver

6.4MEDIUM

CVE-2020-28491

< 2.0.2

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and be

7.5HIGH

CVE-2021-21290

<= 1.13.7

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high perfor

6.2MEDIUM

CVE-2020-8908

< 1.11.4

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potent

3.3LOW

CVE-2020-25649

<= 1.6.1

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerab

7.5HIGH

CVE-2020-13956

< 1.7.6

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed

5.3MEDIUM

CVE-2020-25638

<= 1.9.2

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the J

7.4HIGH

CVE-2020-25633

<= 1.11.6

A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server'

5.3MEDIUM

CVE-2019-14900

<= 1.5.2

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the

6.5MEDIUM

CVE-2020-13692

<= 1.5.2

PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.

7.7HIGH

CVE-2020-1714

<= 1.4.2

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks.

8.8HIGH

CVE-2020-10693

<= 1.4.2

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expre

5.3MEDIUM

CVE-2020-1728

<= 1.4.2

A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely

4.8MEDIUM

CVE-2017-18640

<= 1.3.4

The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

7.5HIGH