Apache Activemq
27 CVEs affecting Apache Activemq. Latest disclosed: 2026-06-01. Critical: 2, High: 5.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2014-3600 | Critical | 9.8 | 2017-10-27 | XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath… |
CVE-2015-5254 | Critical | 9.8 | 2016-01-08 | Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code v… |
CVE-2026-49157 | High | 8.8 | 2026-06-01 | Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolok… |
CVE-2026-45505 | High | 8.8 | 2026-06-01 | Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache Activ… |
CVE-2026-42588 | High | 8.1 | 2026-06-01 | Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache Activ… |
CVE-2026-39304 | High | 7.5 | 2026-04-10 | Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not corre… |
CVE-2014-3576 | High | 7.5 | 2015-08-14 | The processControlCommand function in broker/TransportConnection.java in Apache ActiveMQ before 5.11.0 allows remote attackers to cause a denial of service (sh… |
CVE-2026-42253 | Medium | 6.1 | 2026-06-01 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. The MessageServlet… |
CVE-2016-0734 | Medium | 6.1 | 2016-04-07 | The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attack… |
CVE-2026-49270 | Medium | 5.9 | 2026-06-01 | Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Brokers that are configured… |
CVE-2016-0782 | Medium | 5.4 | 2016-08-05 | The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 allows remote authenticated users to conduc… |
CVE-2026-46605 | Medium | 4.3 | 2026-06-01 | Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with pro… |
CVE-2015-7559 | Low | 2.7 | 2019-08-01 | It was found that the Apache ActiveMQ client before 5.14.5 exposed a remote shutdown command in the ActiveMQConnection class. An attacker logged into a comprom… |
CVE-2015-6524 | | 2015-08-24 | The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows wildcard operators i… | |
CVE-2014-3612 | | 2015-08-24 | The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to… | |
CVE-2015-1830 | | 2015-08-19 | Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows rem… | |
CVE-2014-8110 | | 2015-02-12 | Multiple cross-site scripting (XSS) vulnerabilities in the web based administration console in Apache ActiveMQ 5.x before 5.10.1 allow remote attackers to inje… | |
CVE-2013-1880 | | 2014-02-05 | Cross-site scripting (XSS) vulnerability in the Portfolio publisher servlet in the demo web application in Apache ActiveMQ before 5.9.0 allows remote attackers… | |
CVE-2013-1879 | | 2013-07-20 | Cross-site scripting (XSS) vulnerability in scheduled.jsp in Apache ActiveMQ 5.8.0 and earlier allows remote attackers to inject arbitrary web script or HTML v… | |
CVE-2013-3060 | | 2013-04-21 | The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denia… |