Quarkus
Monthly
Authentication bypass in Quarkus Java framework allows remote unauthenticated attackers to circumvent HTTP path-based authorization policies by smuggling encoded semicolons (%3B) as matrix parameters or by using encoded slashes (%2F) and backslashes (%5C) to reach protected static resources. Affects all Quarkus versions prior to the 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 patch line. No public exploit identified at time of analysis, though the issue is a documented bypass of the prior CVE-2026-39852 fix.
Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently b...
A vulnerability was found in Quarkus in the quarkus-security-webauthn module. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication bypass in Quarkus Java framework allows remote unauthenticated attackers to circumvent HTTP path-based authorization policies by smuggling encoded semicolons (%3B) as matrix parameters or by using encoded slashes (%2F) and backslashes (%5C) to reach protected static resources. Affects all Quarkus versions prior to the 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 patch line. No public exploit identified at time of analysis, though the issue is a documented bypass of the prior CVE-2026-39852 fix.
Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently b...
A vulnerability was found in Quarkus in the quarkus-security-webauthn module. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.