Today, we released CVE fixes releases for Quarkus 3.8 LTS and 3.15 LTS to address several CVEs.If you are using these versions and the mentioned components, the update is recommended.These CVEs are already fixed in Quarkus 3.19.1,so if you are using a non-LTS version, please upgrade to Quarkus 3.19.1 (or to the closest LTS version if you are using an old version).We addressed the following CVEs:CVE-2025-24970 - Upstream Netty (only for 3.15)CVE-2025-1247 - Quarkus REST - Using field injection for request-scoped elements in REST resources not marked with the request scope could lead to concurrency issues.CVE-2024-12225 (embargo will be lifted soon) - WebAuthn - The callback endpoint was enabled by default. It now requires to be explicitly configured.CVE-2025-1634 (not published yet) - RESTEasy Classic - RESTEasy Classic endpoints may be affected by memory leaks. If you are exposing REST endpoints publicly using the quarkus-resteasy extension, the update is highly recommended. Quarkus REST is NOT affected by this CVE.Come Join UsWe value your feedback a lot so please report bugs, ask for improvements…​ Let’s build something great together!If you are a Quarkus user or just curious, don’t be shy and join our welcoming community:provide feedback on GitHub;craft some code and push a PR;discuss with us on Zulip and on the mailing list;ask your questions on Stack Overflow.