CVE-2026-57214
HIGH
7.1
CVSS 4.0
Description
RabbitMQ is a messaging and streaming broker. Prior to 4.2.5, the RabbitMQ management UI renders the x-internal-purpose queue or exchange argument into an HTML title attribute without proper escaping on the Queues and Exchanges pages, allowing a user with permission to declare a queue or exchange to execute JavaScript in another user's browser. This issue is fixed in version 4.2.5.
Metadata
Severity & Metrics
7.1
HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| rabbitmq | rabbitmq-server | — | >= 4.2.0, < 4.2.5 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-79 | cna | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 7.1 | HIGH | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
References (6)
- https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-6jfq-prw2-7rwp https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-6jfq-prw2-7rwp
- https://github.com/rabbitmq/rabbitmq-server/pull/15606 https://github.com/rabbitmq/rabbitmq-server/pull/15606
- https://github.com/rabbitmq/rabbitmq-server/pull/15608 https://github.com/rabbitmq/rabbitmq-server/pull/15608
- https://github.com/rabbitmq/rabbitmq-server/commit/b0027b6c1ae5b869d876e211efe6189ffd92b5c2 https://github.com/rabbitmq/rabbitmq-server/commit/b0027b6c1ae5b869d876e211efe6189ffd92b5c2
- https://github.com/rabbitmq/rabbitmq-server/commit/b267a290dd89e42c6e0256f46fc273a8adb7f3ec https://github.com/rabbitmq/rabbitmq-server/commit/b267a290dd89e42c6e0256f46fc273a8adb7f3ec
- https://github.com/rabbitmq/rabbitmq-server/releases/tag/v4.2.5 https://github.com/rabbitmq/rabbitmq-server/releases/tag/v4.2.5