VYPR

Activemq

by Apache

Source repositories

CVEs (44)

  • CVE-2016-3088CriKEVJun 1, 2016
    risk 0.80cvss 9.8epss 0.99

    The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

  • CVE-2026-34197HigKEVApr 7, 2026
    risk 0.79cvss 8.8epss 0.96

    Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy…

  • CVE-2015-5254CriJan 8, 2016
    risk 0.60cvss 9.8epss 0.38

    Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.

  • CVE-2026-40466HigApr 24, 2026
    risk 0.59cvss 8.8epss 0.04

    Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery…

  • CVE-2026-49157HigJun 1, 2026
    risk 0.57cvss 8.8epss 0.00

    Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which…

  • CVE-2026-45505HigJun 1, 2026
    risk 0.57cvss 8.8epss 0.01

    Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Non-parenthesized discovery wrappers such as `masterslave:vm://...,...` and `static:vm://...` incorrectly pass…

  • CVE-2026-41044HigApr 24, 2026
    risk 0.57cvss 8.8epss 0.01

    Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses…

  • CVE-2014-3600CriOct 27, 2017
    risk 0.57cvss 9.8epss 0.10

    XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.

  • CVE-2026-42588HigJun 1, 2026
    risk 0.53cvss 8.1epss 0.01

    Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default…

  • CVE-2026-39304HigApr 10, 2026
    risk 0.49cvss 7.5epss 0.01

    Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger…

  • CVE-2021-26117HigJan 27, 2021
    risk 0.43cvss 7.5epss 0.11

    The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users…

  • CVE-2014-3576HigAug 14, 2015
    risk 0.43cvss 7.5epss 0.13

    The processControlCommand function in broker/TransportConnection.java in Apache ActiveMQ before 5.11.0 allows remote attackers to cause a denial of service (shutdown) via a shutdown command.

  • CVE-2026-41043MedApr 24, 2026
    risk 0.42cvss 6.5epss 0.01

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead…

  • CVE-2018-11775HigSep 10, 2018
    risk 0.42cvss 7.4epss 0.07

    TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.

  • CVE-2026-42253MedJun 1, 2026
    risk 0.40cvss 6.1epss 0.01

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation.…

  • CVE-2026-49270MedJun 1, 2026
    risk 0.38cvss 5.9epss 0.00

    Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Brokers that are configured with a network connector with syncDurableSubs set to true, are vulnerable to an unauthenticated attacker who can receive…

  • CVE-2018-8006MedOct 10, 2018
    risk 0.37cvss 6.1epss 0.56

    An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the queue.jsp page of Apache ActiveMQ versions 5.0.0 to 5.15.5. The root cause of this issue is improper data filtering of the QueueFilter parameter.

  • CVE-2025-66168MedMar 4, 2026
    risk 0.35cvss 5.4epss 0.01

    WARNING: Users of 6.x should upgrade to 6.2.4 or later as the fix was missed in previous 6.x releases. See the  following for more details: https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt https://www.cve.org/CVERecord?id=CVE-2026-40046 …

  • CVE-2016-6810MedJan 10, 2018
    risk 0.33cvss 6.1epss 0.06

    In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scripting vulnerability was identified to be present in the web based administration console. The root cause of this issue is improper user data output validation.

  • CVE-2016-0734MedApr 7, 2016
    risk 0.33cvss 6.1epss 0.08

    The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.

Page 1 of 3