Home/Product/apache activemq
Product

apache activemq

57 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-41044
< 5.19.6
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache Acti
8.8HIGH
 CVE-2026-41043
< 5.19.6
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ We
6.5MEDIUM
 CVE-2026-40466
< 5.19.6
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apac
8.8HIGH
 CVE-2026-39304
< 5.19.4
Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NI
7.5HIGH
 CVE-2026-34197
< 5.19.4
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apac
8.8HIGH
 CVE-2026-33227
< 5.19.3
Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, A
4.3MEDIUM
 CVE-2025-66168
< 5.19.2
WARNING: Users of 6.x should upgrade to 6.2.4 or later as the fix was missed in previous 6.x releases. See the following for m
5.4MEDIUM
 CVE-2025-27533
>= 5.16.0 and < 5.16.8
Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands the size
7.5HIGH
 CVE-2024-32114
>= 6.0.0 and < 6.1.2
In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Messa
8.5HIGH
 CVE-2022-41678
< 5.16.6
Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. In details, in ActiveMQ configur
8.8HIGH
 CVE-2023-46604
< 5.15.16
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with
10.0CRITICAL
 CVE-2021-21351
< 5.15.14
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability m
5.4MEDIUM
 CVE-2021-21350
< 5.15.14
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability w
5.3MEDIUM
 CVE-2021-21349
< 5.15.14
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability w
6.1MEDIUM
 CVE-2021-21348
< 5.15.14
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability w
5.3MEDIUM
 CVE-2021-21347
< 5.15.14
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability w
6.1MEDIUM
 CVE-2021-21346
< 5.15.14
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability w
6.1MEDIUM
 CVE-2021-21345
< 5.15.14
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability w
5.8MEDIUM
 CVE-2021-21344
< 5.15.14
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability w
5.3MEDIUM
 CVE-2021-21343
< 5.15.14
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability w
5.3MEDIUM
 CVE-2021-21342
< 5.15.14
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability w
5.3MEDIUM
 CVE-2021-21341
< 5.15.14
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability whi
7.5HIGH
 CVE-2020-13947
< 5.15.14
An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the me
6.1MEDIUM
 CVE-2021-26117
>= 5.15.0 and < 5.15.14
The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache Act
7.5HIGH
 CVE-2020-26217
< 5.15.14
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrar
8.0HIGH
 CVE-2020-13920
< 5.15.12
Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It
5.9MEDIUM
 CVE-2020-11998
all versions
A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer,
9.8CRITICAL
 CVE-2020-1941
>= 5.0.0 and <= 5.15.11
In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue.
6.1MEDIUM
 CVE-2015-7559
< 5.14.5
It was found that the Apache ActiveMQ client before 5.14.5 exposed a remote shutdown command in the ActiveMQConnection class. An a
2.7LOW
 CVE-2019-0201
all versions
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t ch
5.9MEDIUM
 CVE-2013-7285
all versions
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attack
9.8CRITICAL
 CVE-2019-10241
all versions
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a
6.1MEDIUM
 CVE-2019-0222
>= 5.0.0 and <= 5.15.8
In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unrespons
7.5HIGH
 CVE-2018-8006
>= 5.0.0 and <= 5.15.5
An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the qu
6.1MEDIUM
 CVE-2018-11775
< 5.15.6
TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable t
7.4HIGH
 CVE-2017-15709
>= 5.14.0 and <= 5.15.2
When using the OpenWire protocol in ActiveMQ versions 5.14.0 to 5.15.2 it was found that certain system details (such as the OS an
3.7LOW
 CVE-2016-6810
>= 5.0.0 and < 5.14.2
In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scripting vulnerability was identified to be present in the web
6.1MEDIUM
 CVE-2014-3600
all versions
XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact vi
9.8CRITICAL
 CVE-2016-0782
all versions
The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 allows remote
5.4MEDIUM
 CVE-2016-3088
>= 5.0.0 and < 5.14.0
The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files
9.8CRITICAL
 CVE-2016-0734
all versions
The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which make
6.1MEDIUM
 CVE-2015-5254
all versions
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attacker
9.8CRITICAL
 CVE-2015-6524
all versions
The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.
 CVE-2014-3612
all versions
The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.
 CVE-2015-1830
all versions
Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before
 CVE-2014-3576
<= 5.10.0
The processControlCommand function in broker/TransportConnection.java in Apache ActiveMQ before 5.11.0 allows remote attackers to
7.5HIGH
 CVE-2014-8110
all versions
Multiple cross-site scripting (XSS) vulnerabilities in the web based administration console in Apache ActiveMQ 5.x before 5.10.1 a
 CVE-2013-1880
<= 5.8.0
Cross-site scripting (XSS) vulnerability in the Portfolio publisher servlet in the demo web application in Apache ActiveMQ before
 CVE-2013-1879
<= 5.8.0
Cross-site scripting (XSS) vulnerability in scheduled.jsp in Apache ActiveMQ 5.8.0 and earlier allows remote attackers to inject a
 CVE-2013-3060
<= 5.7.0
The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive
 CVE-2012-6551
<= 5.7.0
The default configuration of Apache ActiveMQ before 5.8.0 enables a sample web application, which allows remote attackers to cause
 CVE-2012-6092
<= 5.7.0
Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inj
 CVE-2012-5784
<= 5.7.0
Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Mess
 CVE-2011-4905
<= 5.5.1
Apache ActiveMQ before 5.6.0 allows remote attackers to cause a denial of service (file-descriptor exhaustion and broker crash or
 CVE-2010-1587
all versions
The Jetty ResourceHandler in Apache ActiveMQ 5.x before 5.3.2 and 5.4.x before 5.4.0 allows remote attackers to read JSP source co
 CVE-2010-1244
<= 5.3.0
Cross-site request forgery (CSRF) vulnerability in createDestination.action in Apache ActiveMQ before 5.3.1 allows remote attacker
 CVE-2010-0684
<= 5.3.0
Cross-site scripting (XSS) vulnerability in createDestination.action in Apache ActiveMQ before 5.3.1 allows remote authenticated u
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin