pkg:Bitnami/activemq

All known vulnerabilities

• CRITICAL10.0CVE-2023-46604⚠ KEVApache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack
  from 0, < 5.15.16, >= 5.16.0, < 5.16.7, >= 5.17.0, < 5.17.6, >= 5.18.0, < 5.18.3
• HIGH8.8CVE-2026-34197⚠ KEVApache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans
  from 0, < 5.19.4, >= 6.0.0, < 6.2.3
• CRITICAL9.8CVE-2020-11998Remote code execution in Apache ActiveMQ
  >= 5.15.12, <= 5.15.12
• HIGH8.8CVE-2026-41044Apache ActiveMQ Vulnerable to Code Injection
  from 0, < 5.19.6, >= 6.0.0, < 6.2.5
• HIGH8.8CVE-2026-40466Apache ActiveMQ Vulnerable to Improper Input Validation and Code Injection
  from 0, < 5.19.6, >= 6.0.0, < 6.2.5
• HIGH8.8CVE-2024-32114Apache ActiveMQ's default configuration doesn't secure the API web context
  >= 6.0.0, < 6.1.2
• HIGH8.8CVE-2022-41678Apache ActiveMQ: Insufficient API restrictions on Jolokia allow authenticated users to perform RCE
  from 0, < 5.16.6, >= 5.17.0, < 5.17.4
• HIGH8.0CVE-2020-26217XStream can be used for Remote Code Execution
  from 0, < 5.15.14 | >= 5.16.0, <= 5.16.0
• HIGH7.5CVE-2026-39304Apache ActiveMQ: Denial of Service via Out of Memory vulnerability
  from 0, < 5.19.4, >= 6.0.0, < 6.2.4
• HIGH7.5CVE-2025-27533Apache ActiveMQ: Unchecked buffer length can cause excessive memory allocation
  >= 5.16.0, < 5.16.8, >= 5.17.0, < 5.17.7, >= 5.18.0, < 5.18.7, >= 6.0.0, < 6.1.6
• HIGH7.5CVE-2021-26117ActiveMQ: LDAP-Authentication does not verify passwords on servers with anonymous bind
  >= 5.15.0, < 5.15.14, >= 5.16.0, < 5.16.1
• HIGH7.5CVE-2021-21341XStream can cause a Denial of Service.
  from 0, < 5.15.14 | >= 5.16.0, <= 5.16.0, >= 5.16.1, <= 5.16.1
• MEDIUM6.5CVE-2026-41043Apache ActiveMQ Vulnerable to Cross-site Scripting
  from 0, < 5.19.6, >= 6.0.0, < 6.2.5
• MEDIUM6.1CVE-2020-13947Cross-site scripting (XSS) in Apache ActiveMQ
  from 0, < 5.15.14, >= 5.16.0, < 5.16.1
• MEDIUM6.1CVE-2021-21349A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
  from 0, < 5.15.14 | >= 5.16.0, <= 5.16.0, >= 5.16.1, <= 5.16.1
• MEDIUM6.1CVE-2021-21347XStream is vulnerable to an Arbitrary Code Execution attack
  from 0, < 5.15.14 | >= 5.16.0, <= 5.16.0, >= 5.16.1, <= 5.16.1
• MEDIUM6.1CVE-2021-21346XStream is vulnerable to an Arbitrary Code Execution attack
  from 0, < 5.15.14 | >= 5.16.0, <= 5.16.0, >= 5.16.1, <= 5.16.1
• MEDIUM6.1CVE-2020-1941Apache ActiveMQ webconsole admin GUI is open to XSS
  >= 5.0.0, <= 5.15.11
• MEDIUM5.9CVE-2020-13920activemq - security update
  from 0, < 5.15.12
• MEDIUM5.8CVE-2021-21345XStream is vulnerable to a Remote Command Execution attack
  from 0, < 5.15.14 | >= 5.16.0, <= 5.16.0, >= 5.16.1, <= 5.16.1
• MEDIUM5.4CVE-2026-40046Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT: Missing fix for CVE-2025-66168: MQTT control packet remaining length field is not properly validated
  >= 6.0.0, < 6.2.4
• MEDIUM5.4CVE-2025-66168Apache ActiveMQ, Apache ActiveMQ All Module, Apache ActiveMQ MQTT Module: MQTT control packet remaining length field is not properly validated
  from 0, < 5.19.2, >= 6.0.0, < 6.1.9, >= 6.2.0, < 6.2.1
• MEDIUM5.4CVE-2021-21351XStream is vulnerable to an Arbitrary Code Execution attack
  from 0, < 5.15.14 | >= 5.16.0, <= 5.16.0, >= 5.16.1, <= 5.16.1
• MEDIUM5.3CVE-2021-21350XStream is vulnerable to an Arbitrary Code Execution attack
  from 0, < 5.15.14 | >= 5.16.0, <= 5.16.0, >= 5.16.1, <= 5.16.1
• MEDIUM5.3CVE-2021-21348XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos)
  from 0, < 5.15.14 | >= 5.16.0, <= 5.16.0, >= 5.16.1, <= 5.16.1
• MEDIUM5.3CVE-2021-21344XStream is vulnerable to an Arbitrary Code Execution attack
  from 0, < 5.15.14 | >= 5.16.0, <= 5.16.0, >= 5.16.1, <= 5.16.1
• MEDIUM5.3CVE-2021-21343XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights
  from 0, < 5.15.14 | >= 5.16.0, <= 5.16.0, >= 5.16.1, <= 5.16.1
• MEDIUM5.3CVE-2021-21342A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
  from 0, < 5.15.14 | >= 5.16.0, <= 5.16.0, >= 5.16.1, <= 5.16.1
• MEDIUM4.3CVE-2026-33227Apache ActiveMQ: Improper validation and restriction of a classpath path name
  from 0, < 5.19.3, >= 6.0.0, < 6.2.2