CVE-2026-8686

Missing bounds validation in the MQTT v5.0 property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service by sending a crafted packet. To remediate this issue, users should upgrade to v5.0.1...

EUVD-2026-20956

Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT. The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 and future 5.19.x releases but was missed for all 6.0.0+...

CVE-2026-40046 Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT: Missing fix for CVE-2025-66168: MQTT control packet remaining length field is not properly validated

Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT. The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 and future 5.19.x releases but was missed for all 6.0.0+...

com.cognifide.aet:cleaner (>=2.0.0 <=3.2.2), com.cognifide.aet:communication (>=2.0.0 <=3.2.2) +184 more potentially affected by CVE-2026-33227 via org.apache.activemq:activemq-mqtt (>=5.10.0 <=5.19.2)

org.apache.activemq:activemq-mqtt MAVEN version =5.10.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.3-rc1, =2.0.0, =3.0.0, =3.0.0, =3.0.0, =1.1.0, =1.2.4.5, =1.2.4.6, =1.2.4.5, =1.2.4.5, =1.2.6.7 and more Source cves: CVE-2026-33227 Source advisory: SNYK:JAVA-ORGAPACHEACTIVEMQ-15930952...

GO-2025-4173 Eclipse Paho Go MQTT may incorrectly encode strings if length exceeds 65535 bytes in github.com/eclipse/paho.mqtt.golang

Eclipse Paho Go MQTT may incorrectly encode strings if length exceeds 65535 bytes in github.com/eclipse/paho.mqtt.golang...

CVE-2025-56558

The provided sources describe a Dyson MQTT server vulnerability (CVE-2025-56558) affecting Dyson IoT devices dating to 2022+. A client possessing AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, and a device serial can publish/subscribe to Dyson MQTT topics even if the physical device...

EUVD-2019-0286

Malware in sbrugna...

EUVD-2020-28023

Malware in sbrugna...

EUVD-2017-0363

Malware in sbrugna...

EUVD-2018-10481

Malware in sbrugna...

EUVD-2024-46121

Malicious code in bioql PyPI...

EUVD-2024-42265

Malicious code in bioql PyPI...

EUVD-2025-5098

Malicious code in bioql PyPI...

EUVD-2023-28215

Malicious code in bioql PyPI...

CVE-2025-24798

CVE-2025-24798 – Meshtastic : Affects Meshtastic Open Source firmware versions 1.2.1 through 2.6.2. A crafted packet sent to the routing module with want_response==true can crash the router, causing degradation of service for nodes within range and potentially affecting MQTT downlinks. Root cause...

CVE-2025-24003 MQTT OOB Write Vulnerability in EichrechtAgents of German EV Charging Stations

An unauthenticated remote attacker can use MQTT messages to trigger out-of-bounds writes in charging stations complying with German Calibration Law, resulting in a loss of integrity for only EichrechtAgents and potential denial-of-service for these stations...

CVE-2025-24003

The CVE-2025-24003 entry describes an unauthenticated remote attack where MQTT messages trigger out-of-bounds writes in EichrechtAgents used by German EV charging stations, causing integrity loss and potential DoS. Root cause: out-of-bounds write via MQTT in EichrechtAgents; impact includes loss ...

CVE-2025-24002 MQTT DoS Vulnerability in German EV Charging Stations

An unauthenticated remote attacker can use MQTT messages to crash a service on charging stations complying with German Calibration Law, resulting in a temporary denial-of-service for these stations until they got restarted by the watchdog...

CVE-2025-29756 MQTT implementation in Sungrow iSolarCloud allowed users to subscribe to all data of all connected inverters

SunGrow's back end users system iSolarCloud https://isolarcloud.com uses an MQTT service to transport data from the user's connected devices to the user's web browser. The MQTT server however did not have sufficient restrictions in place to limit the topics that a user could subscribe to. While...

CVE-2023-22600

InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-284: Improper Access Control. They allow unauthenticated devices to subscribe to MQTT topics on the same network as the device manager. An...