Quarkus CXF 3.33.4 LTS release notes

Important dependency upgrades

Quarkus 3.33.1 → 3.33.2 - release notes
Apache CXF 4.1.5 → 4.1.6 - release notes, changelog
- CVE-2026-44417 Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to RCE) - severity moderate
- CVE-2026-44618 Apache CXF: XXE vulnerability in WS-Transfer functionality - severity moderate
- CVE-2026-44930 Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository - severity moderate
JAXB Plugins 4.0.12 → 4.0.16 - release notes 4.0.13, release notes 4.0.14, release notes 4.0.15, release notes 4.0.16
Woodstox 7.1.1 → 7.2.0 - release notes, changelog
- Notably, this release contains a fix for CXF-8966.

Bugfixes

CXF-9214 WSDLs and XSDs cannot be loaded from class path on GraalVM

A workaround was added for CXF-9214, where WSDLs and XSDs could not be loaded from the class path when running on GraalVM native image. See also the upstream pull request.

Full changelog

https://github.com/quarkiverse/quarkus-cxf/compare/3.33.3...3.33.4