CVE-2026-49270

Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Brokers that are configured with a network connector with syncDurableSubs set to true, are vulnerable to an unauthenticated attacker who can receive a list of all...

com.espertech:esperio-springjms (=9.0.0), io.fabric8.examples:fabric-activemq-demo (>=1.1.0.Beta1 <=1.2.0.redhat-133) +21 more potentially affected by CVE-2026-42588 via org.apache.activemq:activemq-all (>=6.0.0 <=6.2.5)

org.apache.activemq:activemq-all MAVEN version =6.0.0, =1.1.0.Beta1, =1.1.0.Beta1, =1.1.0.Beta1, =4.2.9.hyte-4296, =4.2.9.hyte-4296, =4.2.9.hyte-4296, =4.2.9.hyte-4296, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.2.5 and more Source cves: CVE-2026-42588 Source advisory:...

com.espertech:esperio-springjms (=9.0.0), io.fabric8.examples:fabric-activemq-demo (>=1.1.0.Beta1 <=1.2.0.redhat-133) +21 more potentially affected by CVE-2026-49157 via org.apache.activemq:activemq-all (>=6.0.0 <=6.2.5)

org.apache.activemq:activemq-all MAVEN version =6.0.0, =1.1.0.Beta1, =1.1.0.Beta1, =1.1.0.Beta1, =4.2.9.hyte-4296, =4.2.9.hyte-4296, =4.2.9.hyte-4296, =4.2.9.hyte-4296, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.2.5 and more Source cves: CVE-2026-49157 Source advisory:...

CVE-2026-45505

Improper Input Validation, Improper Control of Generation of Code 'Code Injection' vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Non-parenthesized discovery wrappers such as masterslave:vm://...,... and static:vm://... incorrectly pass validation allowing bypass o...

CVE-2026-42253

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This can allow...

BIT-ACTIVEMQ-2026-41044 Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All: Authenticated user can perform RCE via DestinationView MBean exposed by Jolokia

Improper Input Validation, Improper Control of Generation of Code 'Code Injection' vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to...

org.apache.axis2:axis2-integration (=1.4), org.apache.camel:camel-example-cxf (>=1.2.0 <=1.3.0) +3 more potentially affected by CVE-2026-34197 +1 more via org.apache.activemq:apache-activemq (>=4.1.1 <=5.0.0)

org.apache.activemq:apache-activemq MAVEN version =4.1.1, =1.2.0, =1.1.0, =1.3.0 - org.apache.camel:camel-example-spring =1.2.0 - org.apache.camel:camel-example-spring-xquery =1.3.0 Source cves: CVE-2026-34197, CVE-2026-40466 Source advisory: OSV:GHSA-W3W2-MPP5-92GM...

BIT-ACTIVEMQ-2026-40046 Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT: Missing fix for CVE-2025-66168: MQTT control packet remaining length field is not properly validated

Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT. The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 and future 5.19.x releases but was missed for all 6.0.0+...

Apache ActiveMQ < 5.19.3 / 5.19.4, 6.x < 6.2.2 / 6.2.3 Classpath Path Traversal

The version of Apache ActiveMQ running on the remote host is prior to 5.19.3 / 5.19.4 or 6.x prior to 6.2.2 / 6.2.3. It is, therefore, affected by an improper validation and restriction of classpath path name vulnerability: - An authenticated user could exploit path concatenation to traverse the...

CVE-2026-40046 Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT: Missing fix for CVE-2025-66168: MQTT control packet remaining length field is not properly validated

Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT. The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 and future 5.19.x releases but was missed for all 6.0.0+...

com.espertech:esperio-springjms (=9.0.0), org.apache.activemq.tooling:activemq-maven-plugin (>=6.0.0 <=6.2.2) +5 more potentially affected by CVE-2026-34197 via org.apache.activemq:activemq-all (>=6.0.0 <=6.2.2)

org.apache.activemq:activemq-all MAVEN version =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.2.2 Source cves: CVE-2026-34197 Source advisory: OSV:GHSA-RXPJ-7QVF-XV32...

com.cognifide.aet:cleaner (>=2.0.0 <=3.2.2), com.cognifide.aet:communication (>=2.0.0 <=3.2.2) +175 more potentially affected by CVE-2026-33227 via org.apache.activemq:activemq-stomp (>=5.10.0 <=5.19.2)

org.apache.activemq:activemq-stomp MAVEN version =5.10.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.3-rc1, =2.0.0, =3.0.0, =3.0.0, =3.0.0, =1.1.0, =1.2.4.5, =1.2.4.6, =1.2.4.5, =1.2.4.5, =1.2.6.7 and more Source cves: CVE-2026-33227 Source advisory: SNYK:JAVA-ORGAPACHEACTIVEMQ-15930951...

org.apache.activemq:activemq-osgi (>=6.0.0 <=6.2.1), org.apache.activemq:activemq-unit-tests (>=6.0.0 <=6.2.1) +4 more potentially affected by CVE-2026-33227 via org.apache.activemq:activemq-stomp (>=6.0.0 <=6.2.1)

org.apache.activemq:activemq-stomp MAVEN version =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.2.1 - org.fcrepo:fcrepo-jms =7.0.0-RC1 - org.fcrepo:fcrepo-webapp =7.0.0-RC1 Source cves: CVE-2026-33227 Source advisory: SNYK:JAVA-ORGAPACHEACTIVEMQ-15930951...

io.fabric8.examples:fabric-activemq-demo (>=1.1.0.CR2 <=1.1.0.CR3), io.fabric8.jube.images.fabric8:quickstart-karaf-camel-amq (>=2.0.5 <=2.0.7) +63 more potentially affected by CVE-2014-3612 via org.apache.activemq:activemq-jaas (>=5.0.0 <=5.10.0)

org.apache.activemq:activemq-jaas MAVEN version =5.0.0, =1.1.0.CR2, =2.0.5, =1.1.0.CR2, =5.0.0, =0.6.0.Final, =0.12.0.Final and more Source cves: CVE-2014-3612 Source advisory: OSV:GHSA-72M6-23FF-7Q26...

at.chrl:chrl-jms (=1.1.0), at.researchstudio.sat:won-core (>=0.2 <=0.9) +273 more potentially affected by CVE-2016-0782 via org.apache.activemq:activemq-client (>=5.10.0 <=5.11.3)

org.apache.activemq:activemq-client MAVEN version =5.10.0, =0.2, =0.3, =0.2, =0.2, =0.3, =0.3, =0.3, =0.3, =0.3, =0.2, =0.3, =0.3, =0.6 - at.researchstudio.sat:won-owner =0.3 - at.researchstudio.sat:won-owner-webapp =0.3 and more Source cves: CVE-2016-0782 Source advisory: OSV:GHSA-8RCQ-P4GH-VMJ8...

DEBIAN-CVE-2017-15709

When using the OpenWire protocol in ActiveMQ versions 5.14.0 to 5.15.2 it was found that certain system details such as the OS and kernel version are exposed as plain text...

Apache ActiveMQ 'admin/queueBrowse' Cross Site Scripting Vulnerability

Apache ActiveMQ is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. SPDX-FileCopyrightText: 2010 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...