Skip to main content

Vert X

7 CVEs product

Monthly

CVE-2026-6860 Maven MEDIUM POC PATCH GHSA This Month

Wildcard TLS certificate validation in Eclipse Vert.x allows remote attackers to bypass Server Name Indication (SNI) hostname verification by presenting arbitrary subdomains matching wildcard patterns, potentially disclosing sensitive server configuration and enabling certificate reuse across unintended service endpoints. The vulnerability affects Vert.x versions using unbounded SNI cache mechanisms without proper hostname validation constraints, and is fixed by implementing bounded LRU caching with proper synchronization and hostname matching enforcement.

Information Disclosure Vert X Red Hat
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2024-8391 Maven MEDIUM PATCH This Month

In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Denial Of Service Vert X
NVD GitHub
CVSS 4.0
6.9
EPSS
0.6%
CVE-2018-12544 Maven CRITICAL PATCH Act Now

In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Vert X
NVD GitHub
CVSS 3.0
9.8
EPSS
2.2%
CVE-2018-12542 Maven CRITICAL POC PATCH Act Now

In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the StaticHandler uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\'. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Path Traversal Vert X
NVD GitHub
CVSS 3.0
9.8
EPSS
2.3%
CVE-2018-12541 Maven MEDIUM PATCH This Month

In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Vert X
NVD GitHub
CVSS 3.1
6.5
EPSS
2.7%
CVE-2018-12537 Maven MEDIUM PATCH This Month

In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Vert X
NVD GitHub
CVSS 3.0
5.3
EPSS
2.5%
CVE-2018-12540 Maven HIGH POC PATCH This Week

In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do not assert that the XSRF Cookie matches the returned XSRF header/form parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Vert X
NVD
CVSS 3.0
8.8
EPSS
2.0%
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Wildcard TLS certificate validation in Eclipse Vert.x allows remote attackers to bypass Server Name Indication (SNI) hostname verification by presenting arbitrary subdomains matching wildcard patterns, potentially disclosing sensitive server configuration and enabling certificate reuse across unintended service endpoints. The vulnerability affects Vert.x versions using unbounded SNI cache mechanisms without proper hostname validation constraints, and is fixed by implementing bounded LRU caching with proper synchronization and hostname matching enforcement.

Information Disclosure Vert X Red Hat
NVD GitHub VulDB
EPSS 1% CVSS 6.9
MEDIUM PATCH This Month

In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Denial Of Service Vert X
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Vert X
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the StaticHandler uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\'. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Path Traversal Vert X
NVD GitHub
EPSS 3% CVSS 6.5
MEDIUM PATCH This Month

In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Vert X
NVD GitHub
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Vert X
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC PATCH This Week

In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do not assert that the XSRF Cookie matches the returned XSRF header/form parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Vert X
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy