CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2026-50559

Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.003

EPSS Ranking 16.2%

CVSS Severity

CVSS v3 Score 7.5

References

https://github.com/quarkusio/quarkus/security/advisories/GHSA-qcxp-gm7m-4j5v

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-50559

Products

Pricing

Contact Us