CVE-2026-44839 PUBLISHED

RabbitMQ: Unsanitized vhost names allow for XSS in management UI

Assigner: GitHub_M
Reserved: 07.05.2026 Published: 27.05.2026 Updated: 27.05.2026

RabbitMQ is a messaging and streaming broker. From 3.7.0 to before 4.1.2 and 4.0.13, This vulnerability is fixed in 4.1.2 and 4.0.13.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.6

Product Status

Vendor rabbitmq
Product rabbitmq-server
Versions
  • Version >= 3.7.0, < 4.0.13 is affected
  • Version >= 4.1.0-alpha, < 4.1.2 is affected

References

Problem Types

  • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CWE