791 matches found
Apache ActiveMQ 6.x < 6.1.2 - Broken Access Control
Apache ActiveMQ 6.x contains an unauthenticated API web context caused by default configuration lacking security measures in the Jetty server, letting anyone interact with broker APIs and messaging layers, exploit requires no authentication. id: CVE-2024-32114 info: name: Apache ActiveMQ 6.x 6.1....
CVE-2026-54475
A flaw was found in Apache ActiveMQ. Temporary destinations, which are designed to be private to a specific connection, can be accessed by other connections due to a missing authorization check. This allows an unauthorized connection to consume messages from another connection's temporary...
CVE-2026-53917
A flaw was found in Apache ActiveMQ. An authenticated user can exploit this vulnerability by sending a specially crafted OpenWire Message with an excessively large encoded size value for the message property map. This lack of size validation during unmarshaling can lead to an out-of-memory error,...
CVE-2026-50734
A flaw was found in Apache ActiveMQ. An unauthenticated network attacker can exploit this vulnerability by sending a specially crafted WireFormatInfo frame with an excessively large size value. This unvalidated value causes the broker to attempt an oversized memory allocation during...
DEBIAN-CVE-2026-54475
Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing...
CVE-2026-54475
Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing...
DEBIAN-CVE-2026-49877
Improper Authorization vulnerability in Apache ActiveMQ. An authenticated low-privilege Web Console user by default can access /admin/ paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins. This issue affects Apache ActiveMQ: before 5.19.8, from...
CVE-2026-49432
Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp. A remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can...
CVE-2026-49877
Improper Authorization vulnerability in Apache ActiveMQ. An authenticated low-privilege Web Console user by default can access /admin/ paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins. This issue affects Apache ActiveMQ: before 5.19.8, from...
EUVD-2026-40284
Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp. A remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can...
EUVD-2026-40283
Improper Authorization vulnerability in Apache ActiveMQ. An authenticated low-privilege Web Console user by default can access /admin/ paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins. This issue affects Apache ActiveMQ: before 5.19.8, from...
CVE-2026-49877
CVE-2026-49877 documents an Improper Authorization vulnerability in Apache ActiveMQ. An authenticated, low-privilege Web Console user can access "/admin/*" paths because Jetty default settings fail to restrict those paths to admins. Affected versions are before 5.19.8 and before 6.2.7 (i.e., 6.0....
CVE-2026-52760 Apache ActiveMQ, Apache ActiveMQ Web Console: Stored XSS via Unescaped values in ActiveMQ Web Console
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache ActiveMQ, Apache ActiveMQ Web Console. The browse page in the web console renders a message Id directly without sanitization. This allows an authenticated producer to send a message with a J...
CVE-2026-54475 Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Temporary destination ownership takeover
Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing...
CVE-2026-49268 vulnerabilities
Vulnerabilities for packages: apache-activemq, apache-jena-fuseki, neo4j, apache-activemq-fips...
GHSA-X96M-RH44-VGV8 vulnerabilities
Vulnerabilities for packages: apache-activemq, apache-jena-fuseki, neo4j, apache-activemq-fips...
CVE-2026-45505
A flaw was found in Apache ActiveMQ. This vulnerability allows an authenticated attacker to bypass a previous fix for CVE-2026-34197 by using non-parenthesized discovery wrappers. By crafting a malicious discovery URI, the attacker can trigger the VM transport's brokerConfig parameter to load a...
Exploit for Improper Input Validation in Apache Activemq
CVE-2026-42588 – Apache ActiveMQ Jolokia Remote Code Execution...
Weekly Metasploit Update: Apache ActiveMQ RCE, Gogs Rebase RCE, and Windows Kernel Pointer Enum
When Open Source is a bit too Open Several fun modules landed this week, including an Apache RCE, Windows Kernel pointer collection, and Gogs RCE via naming. Leading off is Gogs' RCE that allows an attacker to execute commands by naming their branch --exec and requesting a rebase. Another useful...
BIT-ACTIVEMQ-2026-49157 Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default
Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-admin low-privilege web-login accounts access to Jolokia operations which allowed executing broker...