Lucene search
K
ApacheActivemq

72 matches found

CVE
CVE
added 2014/02/05 6:0 p.m.88 views

CVE-2013-1880

CVE-2013-1880 (ActiveMQ) : XSS in the Portfolio publisher servlet of the Apache ActiveMQ demo web app prior to 5.9.0. By supplying a crafted value to the refresh parameter of demo/portfolioPublish, an attacker can inject arbitrary script/HTML. Root cause: improper validation/neutralization of inp...

4.3CVSS7.5AI score0.05895EPSS
CVE
CVE
added 2013/04/21 9:0 p.m.88 views

CVE-2013-3060

CVE-2013-3060 affects Apache ActiveMQ pre-5.8.0, where the web console did not require authentication. This allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests. Public sources in the provided documents (e.g., ActiveMQ advisories and related Red H...

6.4CVSS8.9AI score0.06311EPSS
CVE
CVE
added 2010/04/05 4:0 p.m.82 views

CVE-2010-0684

Apache ActiveMQ (the server) is affected by CVE-2010-0684 due to an input validation flaw in the createDestination.action handler. The JMSDestination parameter can be exploited to inject arbitrary script/HTML in the admin UI, leading to cross-site scripting. The issue requires an authenticated re...

3.5CVSS7.1AI score0.04283EPSS
CVE
CVE
added 2010/04/05 4:0 p.m.79 views

CVE-2010-1244

Apache ActiveMQ contains a CSRF vulnerability in createDestination.action that affects releases prior to 5.3.1. An attacker could remotely hijack an authenticated user’s session to create queues via the JMSDestination parameter in a queue action. The issue is documented across multiple sources ty...

6.8CVSS7.2AI score0.01084EPSS
CVE
CVE
added 2026/06/01 7:22 a.m.64 views

CVE-2026-45505

CVE-2026-45505 details a Code Injection vulnerability in Apache ActiveMQ components (Broker/All/ActiveMQ) where non-standard Jolokia discovery wrappers (e.g., masterslave:vm://, static:vm://) bypass the fix for CVE-2026-34197. An authenticated attacker could abuse Jolokia’s JMX-HTTP bridge at /ap...

8.8CVSS6.4AI score0.00577EPSS
CVE
CVE
added 2026/06/01 7:23 a.m.57 views

CVE-2026-42253

CVE-2026-42253 affects Apache ActiveMQ and Apache ActiveMQ Web. The vulnerability arises in the MessageServlet of the web console API, which copies every JMS message property into HTTP response headers without validation, enabling potential HTTP header injection and cross-site scripting via JMS m...

6.1CVSS5.8AI score0.01107EPSS
CVE
CVE
added 2026/06/01 7:20 a.m.48 views

CVE-2026-49157

CVE-2026-49157 affects Apache ActiveMQ prior to 5.19.7 and prior to 6.2.6 for 6.x. The vulnerability arises from default Jolokia authorization settings that grant non-admin (low-privilege) web-login accounts access to broker-management operations (e.g., addQueue, removeQueue). This can impact con...

8.8CVSS5.8AI score0.00424EPSS
CVE
CVE
added 2026/06/01 7:19 a.m.41 views

CVE-2026-49270

Issue summary: CVE-2026-49270 in Apache ActiveMQ components exposes sensitive subscription metadata when a broker with a network connector using syncDurableSubs=true answers a BrokerInfo command without authenticating the connection. Affected products/versions (per sources): Apache ActiveMQ Broke...

5.9CVSS5.8AI score0.00328EPSS
CVE
CVE
added 2026/06/01 7:21 a.m.38 views

CVE-2026-46605

CVE-2026-46605 affects Apache ActiveMQ brokers. Insecure authorization allows authenticated users to remove existing destinations when permissions exist, before versions 6.2.6 (and 5.19.7) were released. Affected ranges include: Apache ActiveMQ Broker: before 5.19.7; from 6.0.0 before 6.2.6; Apac...

4.3CVSS5.8AI score0.00335EPSS
CVE
CVE
added 2026/04/07 7:50 a.m.36 views

CVE-2026-33227

CVE-2026-33227 affects Apache ActiveMQ family (Client, Broker, All, Web) via an improper validation and restriction of classpath path name. In two contexts (creating a Stomp consumer and browsing Web console messages), an authenticated user could craft a key to traverse the classpath due to path ...

4.3CVSS5.8AI score0.00419EPSS
CVE
CVE
added 2026/04/24 10:16 a.m.23 views

CVE-2026-41044

The CVE describes an authenticated RCE/Code Injection in Apache ActiveMQ (Classic) and related brokers via the admin web console. An attacker can craft a malicious broker name (bypassing validation) that embeds an xbean binding, which a VM transport can later load through a DestinationView MBean ...

8.8CVSS6.5AI score0.0098EPSS
CVE
CVE
added 2026/04/10 10:54 a.m.22 views

CVE-2026-39304

Summary: CVE-2026-39304 describes a DoS via Out-of-Memory in Apache ActiveMQ components caused by TLSv1.3 KeyUpdate handling in NIO SSL transports. The broker and clients are affected for multiple versions prior to 6.2.4 or 5.19.4, with the recommended fixes being 6.2.4 or 5.19.5. The issue arise...

7.5CVSS5.8AI score0.00896EPSS
CVE
CVE
added 2026/06/30 9:50 a.m.22 views

CVE-2026-52760

CVE-2026-52760 is a Cross-site Scripting vulnerability in Apache ActiveMQ and its Web Console. The issue arises because the browse page renders a JMS message ID directly without sanitization, enabling an authenticated producer to send a crafted message ID that contains HTML/JavaScript, which will...

6.1CVSS5.7AI score0.00563EPSS
CVE
CVE
added 2026/04/24 10:16 a.m.20 views

CVE-2026-41043

CVE-2026-41043 describes an XSS vulnerability in Apache ActiveMQ and Apache ActiveMQ Web. An authenticated attacker can cause the web console queues page to render HTML content by overriding the content type from XML to HTML and injecting HTML into a JMS selector field, leading to basic HTML/scri...

6.5CVSS5.3AI score0.0056EPSS
CVE
CVE
added 2026/06/30 9:51 a.m.15 views

CVE-2026-50750

CVE-2026-50750 describes a pre-authentication Denial of Service in Apache ActiveMQ components where an unauthenticated attacker can flood BrokerInfo messages without a ConnectionInfo, causing an Out of Memory condition and broker crash. Affected ranges include Apache ActiveMQ Broker: 5.19.7 befor...

7.5CVSS5.8AI score0.00707EPSS
CVE
CVE
added 2026/06/30 9:48 a.m.15 views

CVE-2026-54475

Summary of CVE-2026-54475 : A missing authorization check allows unauthorized connections to access temporary destinations in Apache ActiveMQ components. Affected versions include Apache ActiveMQ Broker prior to 5.19.8 and 6.0.0–6.2.6, Apache ActiveMQ All prior to 5.19.8 and 6.0.0–6.2.6, and Apac...

7.5CVSS5.7AI score0.00589EPSS
CVE
CVE
added 2026/06/30 9:49 a.m.14 views

CVE-2026-53916

CVE-2026-53916 describes a memory allocation issue in Apache ActiveMQ families (ActiveMQ, ActiveMQ All, ActiveMQ Stomp) caused by an unauthenticated STOMP NIO client that can emit header bytes that never terminate. This unbounded header buffering can exhaust the JVM heap. Affected versions are be...

7.5CVSS5.9AI score0.00796EPSS
CVE
CVE
added 2026/06/30 9:55 a.m.12 views

CVE-2026-49434

CVE-2026-49434 is an Improper Input Validation vulnerability affecting Apache ActiveMQ Broker, ActiveMQ, and ActiveMQ All. An attacker with permission to publish/modify LDAP entries (matching configured searchBase/searchFilter) can instantiate denied transports inside the broker JVM, enabling ret...

7.5CVSS5.7AI score0.00659EPSS
CVE
CVE
added 2026/06/30 9:53 a.m.12 views

CVE-2026-49877

CVE-2026-49877 documents an Improper Authorization vulnerability in Apache ActiveMQ. An authenticated, low-privilege Web Console user can access "/admin/*" paths because Jetty default settings fail to restrict those paths to admins. Affected versions are before 5.19.8 and before 6.2.7 (i.e., 6.0....

8.1CVSS5.8AI score0.0051EPSS
CVE
CVE
added 2026/06/30 9:54 a.m.11 views

CVE-2026-49432

CVE-2026-49432 affects Apache ActiveMQ, including ActiveMQ All and ActiveMQ Stomp, due to improper input validation on STOMP exposure. A remote unauthenticated attacker can trigger denial-of-service by sending a negative content-length to an exposed STOMP connector. On the NIO STOMP transport, an...

7.5CVSS6AI score0.00844EPSS
CVE
CVE
added 2026/06/30 9:53 a.m.11 views

CVE-2026-50734

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ Client, Apache ActiveMQ, and Apache ActiveMQ All allows an unauthenticated network attacker to cause a broker DoS by sending a crafted WireFormatInfo frame with a malicious large size value. The broker may allocate memor...

7.5CVSS5.7AI score0.00796EPSS
CVE
CVE
added 2026/06/30 9:49 a.m.9 views

CVE-2026-53917

CVE-2026-53917 describes an unbounded memory allocation vulnerability in OpenWire property unmarshalling in Apache ActiveMQ and related builds. An authenticated user can send a crafted OpenWire Message with a very large encoded size value for a message property map, causing OpenWire maps to be un...

7.5CVSS5.7AI score0.00796EPSS
Total number of security vulnerabilities72