CVE-2026-40180

Name of the Vulnerable Software and Affected Versions Quarkus OpenAPI Generator versions prior to 2.16.0 and 2.15.0-lts

Description The unzip() method in ApicurioCodegenWrapper.java does not validate that the file path of extracted ZIP entries remains within the intended output directory. The destination file path is constructed using new File(toOutputDir, entry.getName()) without proper validation. A malicious ZIP archive containing path traversal sequences (e.g., ../../malicious.java) could allow writing files outside the target directory. This could lead to overwriting source files, injecting malicious code, or modifying configuration files, potentially resulting in a supply chain compromise.

Recommendations Update to version 2.16.0 or 2.15.0-lts.