VYPR

Maven package

org.apache.activemq/activemq-client

pkg:maven/org.apache.activemq/activemq-client

Vulnerabilities (18)

  • CVE-2026-39304HigApr 10, 2026
    affected < 5.19.4fixed 5.19.4

    Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger upd

  • CVE-2026-33227MedApr 7, 2026
    affected < 5.19.3fixed 5.19.3

    Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ. In two instances (when creating a Stomp consumer and also browsing messages in the Web co

  • CVE-2025-27533May 7, 2025
    affected < 5.16.8fixed 5.16.8

    Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service (DoS) by dep

  • CVE-2023-46604KEVOct 27, 2023
    affected < 5.15.16fixed 5.15.16

    The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenW

  • CVE-2015-7559Aug 1, 2019
    affected < 5.14.5fixed 5.14.5

    It was found that the Apache ActiveMQ client before 5.14.5 exposed a remote shutdown command in the ActiveMQConnection class. An attacker logged into a compromised broker could use this flaw to achieve denial of service on a connected client.

  • CVE-2019-0222Mar 28, 2019
    affected >= 5.0.0, < 5.15.9fixed 5.15.9

    In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.

  • CVE-2018-11775Sep 10, 2018
    affected < 5.15.6fixed 5.15.6

    TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.

  • CVE-2016-6810Jan 10, 2018
    affected >= 5.0.0, < 5.14.2fixed 5.14.2

    In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scripting vulnerability was identified to be present in the web based administration console. The root cause of this issue is improper user data output validation.

  • CVE-2014-3600CriOct 27, 2017
    affected >= 5.0.0, < 5.10.1fixed 5.10.1

    XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.

  • CVE-2016-0782MedAug 5, 2016
    affected >= 5.0.0, < 5.11.4fixed 5.11.4

    The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 allows remote authenticated users to conduct cross-site scripting (XSS) attacks and consequently obtain sensitive information from a Java memory dump via vectors re

  • CVE-2016-3088CriKEVJun 1, 2016
    affected >= 5.0.0, < 5.14.0fixed 5.14.0

    The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

  • CVE-2016-0734MedApr 7, 2016
    affected >= 5.0.0, < 5.13.2fixed 5.13.2

    The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.

  • CVE-2015-5254CriJan 8, 2016
    affected >= 5.0.0, < 5.11.3fixed 5.11.3

    Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.

  • CVE-2015-1830Aug 19, 2015
    affected >= 5.0.0, < 5.11.2fixed 5.11.2

    Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows remote attackers to create JSP files in arbitrary directories via unspecified vectors.

  • CVE-2014-3576HigAug 14, 2015
    affected < 5.11.0fixed 5.11.0

    The processControlCommand function in broker/TransportConnection.java in Apache ActiveMQ before 5.11.0 allows remote attackers to cause a denial of service (shutdown) via a shutdown command.

  • CVE-2014-8110Feb 12, 2015
    affected >= 5.0.0, < 5.10.1fixed 5.10.1

    Multiple cross-site scripting (XSS) vulnerabilities in the web based administration console in Apache ActiveMQ 5.x before 5.10.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2013-1879Jul 20, 2013
    affected < 5.9.0fixed 5.9.0

    Cross-site scripting (XSS) vulnerability in scheduled.jsp in Apache ActiveMQ 5.8.0 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving the "cron of a message."

  • CVE-2013-3060Apr 21, 2013
    affected < 5.8.0fixed 5.8.0

    The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.