Every CVE whose affected-product data names Eclipse Mosquitto, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (26)
CVE-2024-10525 — CVSS 9.8 (critical): In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client…
CVE-2018-12550 — CVSS 8.1 (high): When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only…
CVE-2018-12551 — CVSS 8.1 (high): When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the…
CVE-2023-28366 — CVSS 7.5 (high): The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS…
CVE-2021-41039 — CVSS 7.5 (high): In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause…
CVE-2017-7655 — CVSS 7.5 (high): In Eclipse Mosquitto version from 1.0 to 1.4.15, a Null Dereference vulnerability was found in the Mosquitto library which could lead to…
CVE-2018-12543 — CVSS 7.5 (high): In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is published to Mosquitto that has a topic starting with $, but that is…
CVE-2017-7651 — CVSS 7.5 (high): In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large…
CVE-2018-20145 — CVSS 7.5 (high): Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was…
CVE-2023-5632 — CVSS 7.5 (high): In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT…
CVE-2024-8376 — CVSS 7.5 (high): In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending…
CVE-2017-7652 — CVSS 7.5 (high): In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers…
CVE-2017-7654 — CVSS 7.5 (high): In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can…
CVE-2021-34432 — CVSS 7.5 (high): In Eclipse Mosquitto versions 2.0.7 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0.
CVE-2019-11779 — CVSS 6.5 (medium): In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of…
CVE-2018-12546 — CVSS 6.5 (medium): In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a topic, then has its access to that…
CVE-2017-7650 — CVSS 6.5 (medium): In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows…
CVE-2021-28166 — CVSS 6.5 (medium): In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT v5 sent a crafted CONNACK message to…
CVE-2021-34431 — CVSS 6.5 (medium): In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to…
CVE-2024-3935 — CVSS 6.5 (medium): In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and…
CVE-2023-3592 — CVSS 5.8 (medium): In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property…
CVE-2023-0809 — CVSS 5.8 (medium): In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
CVE-2017-9868 — CVSS 5.5 (medium): In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT…
CVE-2019-11778 — CVSS 5.4 (medium): If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will delay…
CVE-2021-34434 — CVSS 5.3 (medium): In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a…
CVE-2017-7653 — CVSS 5.3 (medium): The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other…