CVE-2026-40860

A flaw was found in Apache Camel. A remote attacker could exploit a deserialization vulnerability by sending a specially crafted Java Message Service JMS ObjectMessage to a Camel application acting as a JMS consumer. This vulnerability arises because the application deserializes the message paylo...

CVE-2026-40860

JmsBinding.extractBodyFromJms in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is...

CVE-2026-40860

Apache Camel CVE-2026-40860 describes unsafe deserialization of JMS ObjectMessage payloads in camel-jms, camel-sjms, camel-sjms2 and camel-amqp. The root cause is deserialization via javax.jms.ObjectMessage.getObject() without ObjectInputFilter or allow/deny lists, triggered when mapJmsMessage is...

EUVD-2026-25794

JmsBinding.extractBodyFromJms in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is...

EUVD-2022-3674

Malicious code in bioql PyPI...

EUVD-2021-7743

Malicious code in bioql PyPI...

GHSA-Q9HR-3PG4-3JP4 Improper Input Validation in Apache ActiveMQ

Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service JMS ObjectMessage object...

Remote Code Execution (RCE)

Artemis in EAP 7 is vulnerable to remote code execution. The vulnerability exists due to a lack of validation of permissions of the application using a JMS ObjectMessage allowing an attacker to execute maliciously craft code in the system...

7: Incomplete fix of CVE-2016-4978 in HornetQ library

The HornetQ component of Artemis in EAP 7 was not updated with the fix for CVE-2016-4978. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage...

CVE-2021-20318

The HornetQ component of Artemis in EAP 7 was not updated with the fix for CVE-2016-4978. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage...

CVE-2021-20318

The HornetQ component of Artemis in EAP 7 was not updated with the fix for CVE-2016-4978. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage...

Hardcoded credentials

The HornetQ component of Artemis in EAP 7 was not updated with the fix for CVE-2016-4978. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage...

CVE-2021-20318

The HornetQ component of Artemis in EAP 7 was not updated with the fix for CVE-2016-4978. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage...

CVE-2021-20318

The HornetQ component of Artemis in EAP 7 was not updated with the fix for CVE-2016-4978. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage...

Red Hat Jboss Enterprise Application Platform 7 代码问题漏洞

Red Hat Jboss Enterprise Application Platform 7 Red Hat Jboss Eap 7 is a middleware platform built on open standards and compatible with the Java Ee 7 specification from Red Hat USA. A code issue vulnerability exists in Red Hat JBoss Enterprise Application Platform 7 Artemis that stems from the...

Security Bulletin: CVE-2015-5254 Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker

Summary CVE-2015-5254 Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service JMS ObjectMessage object. Vulnerability Details CVEID: CVE-2015-5254...

Security Bulletin: Vulnerability in Apache ActiveMQ affects IBM Control Center (CVE-2015-5254)

Summary An Apache ActiveMQ vulnerability for potentially allowing a remote attacker to execute arbitrary code was addressed by IBM Control Center. Control Center is only vulnerable if configured to use JMS Java Messaging Service. Vulnerability Details CVEID: CVE-2015-5254 DESCRIPTION: Apache...

Remote Code Execution Through Deserialization Attack

Apache ActiveMQ Artemis is vulnerable to deserialization attacks. The JMS specification outlines a getObject method on the javax.jms.ObjectMessage class. The Apache Artemis implementation of this method allows the deserialization of objects, from untrusted sources. There are several places where...

Deserialization Of Untrusted Data

Apache ActiveMQ allows for deserialization of objects both in the Broker and in any applications which process ObjectMessage messages, specifically by using ObjectMessagegetObject. Broker deserialization happens in HTTP, Stop, Web Console, and other components. The deserialization in versions 5.0...

Security Bulletin: Potential security vulnerability in IBM WebSphere Application Server in Bluemix MQ JCA Resource adapter (CVE-2016-0360)

Summary There is a potential security vulnerability with the WebSphere Application Server MQ JCA Resource adapter. Vulnerability Details CVEID: CVE-2016-0360 DESCRIPTION: IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources whi...