Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stored XSS requires high privileges to plant payload and user interaction to trigger; scope changes to victim browser with limited session-level C and I impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
RabbitMQ is a messaging and streaming broker. Prior to 3.13.14, 4.0.19, 4.1.10, and 4.2.5, the rabbitmq_federation_management plugin renders the consumer_tag field on the Federation Status page without HTML escaping, allowing a user who can configure a federation upstream or policy to execute JavaScript in the browser of a user viewing that page. This issue is fixed in versions 3.13.14, 4.0.19, 4.1.10, and 4.2.5.
AnalysisAI
Stored cross-site scripting in the RabbitMQ federation management plugin allows any user with federation upstream or policy configuration privileges to execute arbitrary JavaScript in the browser of an administrator viewing the Federation Status page. The rabbitmq_federation_management plugin renders the consumer_tag field without HTML escaping, making it a persistent injection vector that fires passively when a victim navigates to the page. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two specific conditions must be met simultaneously. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:H/UI:P, score 5.7) encodes three meaningful constraints that substantially reduce real-world risk relative to a generic XSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding RabbitMQ administrative credentials configures a federation upstream with a consumer_tag payload containing a JavaScript snippet designed to exfiltrate the victim's management UI session cookie to an attacker-controlled endpoint. When a second administrator subsequently navigates to the Federation Status page, the unescaped tag renders as live script in the victim's browser, executing the payload and transmitting their session token. … |
| Remediation | Upgrade RabbitMQ to one of the vendor-released patched versions: 3.13.14, 4.0.19, 4.1.10, or 4.2.5, which introduce HTML escaping for the consumer_tag field via the fixes in PRs #15708 and #15711 (commits 33dedfe4 and c2d0d69e). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Rabbitmq Server
View allPivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x ver
An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in
Sensitive credential disclosure in RabbitMQ affects installations running the management plugin with OAuth 2 configured
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions p
RabbitMQ installers on Windows prior to version 3.8.16 do not harden plugin directory permissions, potentially allowing
Memory-exhaustion denial of service in RabbitMQ server prior to 4.2.6 allows an unauthenticated remote client to crash o
Stored cross-site scripting in the RabbitMQ management UI (versions prior to 4.2.5) lets a user holding queue/exchange d
Uncontrolled resource consumption in the RabbitMQ Management plugin's HTTP API lets an authenticated client crash or deg
Authorization bypass in RabbitMQ topic permissions lets an authenticated user with restricted topic rights publish to or
Improper authorization in RabbitMQ broker (versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6) allows an authenticated
Authentication bypass in RabbitMQ (broker versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6) lets a loopback-restrict
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43014