This release of Red Hat build of Quarkus 3.33.2.SP1 includes the following CVE fixes: * quarkus-vertx-http: Authentication/Authorization Bypass via Advanced Path Normalization Vulnerabilities [quarkus-3.33] (CVE-2026-50559) * vertx-core: eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name [quarkus-3.33] (CVE-2026-6860) * netty-handler: netty-handler: IPv6 subnet rule bypass due to incorrect masking operation [quarkus-3.33] (CVE-2026-44249) * netty-codec-haproxy: Netty-codec-haproxy: Denial of Service via malformed HAProxy message [quarkus-3.33] (CVE-2026-44893) * netty-codec-http2: netty-codec-http2: Denial of Service due to resource leak [quarkus-3.33] (CVE-2026-48043) * netty-codec-haproxy: Netty HAProxy PROXY protocol v2 codec: Denial of Service via memory leak from crafted PROXY protocol headers [quarkus-3.33] (CVE-2026-48059) * netty-resolver-dns: Netty has Insufficient Bailiwick Validation for NS Records [quarkus-3.33] (CVE-2026-47691) * netty-handler: Netty: Improper trust manager handling leads to hostname verification bypass [quarkus-3.33] (CVE-2026-50010) * netty-codec-http: Netty: Data manipulation via request-boundary confusion in HttpObjectDecoder [quarkus-3.33] (CVE-2026-50020) * netty-resolver-dns: Netty: Information disclosure and data manipulation due to improper CNAME record validation [quarkus-3.33] (CVE-2026-45674) * netty-handler: Netty: Denial of Service due to eager buffer allocation in TLS handshake [quarkus-3.33] (CVE-2026-45416) * netty-codec-http2: Netty: Denial of Service due to HTTP/2 max header size handling [quarkus-3.33] (CVE-2026-50560) * netty-codec-http2: Netty: Denial of Service via uncontrolled HTTP/2 concurrent streams [quarkus-3.33] (CVE-2026-47244) * netty-resolver-dns: Netty DNS resolver: DNS Cache Poisoning via predictable transaction IDs [quarkus-3.33] (CVE-2026-45673) For more information, see the release notes page listed in the References section.