Skip to content

ActiveMQ

Streaming & Message Queues

Apache ActiveMQ

Track releases GitHub Website
Java Latest activemq-5.19.7 · 7d ago Security brief →

Features

  • Supports Jakarta Messaging (JMS) 3.1.0, JMS 2.0 and JMS 1.1
  • Provides AMQP, MQTT and HTTP/WS protocols
  • Offers advanced features such as network‑of‑brokers and scheduling

Security Response History

8 CVEs
CVE Severity Disclosed Patched (this tool) vs Ecosystem Median
CVE-2026-34197 KEV high
CVSS 8.8
 2026-04-07 2026-04-08 30h
CVE-2023-46604 KEV critical
CVSS 10.0
 2023-11-02 2026-03-20 2y 5mo / median 2y 5mo
CVE-2021-45046 KEV critical
CVSS 9.0
 2023-05-01 2026-03-20 2y 11mo / median 2y 9mo
CVE-2021-39144 KEV high
CVSS 8.5
 2023-03-10 2026-03-20 3y / median 2y 10mo
CVE-2022-22965 KEV critical
CVSS 9.8
 2022-04-04 2026-03-20 4y / median 3y 10mo
CVE-2016-3088 KEV critical
CVSS 9.8
 2022-02-10 2026-03-20 4y 1mo / median 4y 1mo
CVE-2021-44228 KEV critical
CVSS 10.0
 2021-12-10 2026-03-20 4y 3mo / median 4y 2mo
CVE-2016-4437 KEV critical
CVSS 9.8
 2021-11-03 2026-03-20 4y 5mo / median 4y 5mo

Recent releases

View all 10 releases →
Upgrade now
activemq-5.19.7 Breaking risk
Dependencies

Remove java.lang serialization

Open
Review required
activemq-6.2.6 Breaking risk
Auth RBAC RCE / SSRF

Serializable package removal + hardened access

patches CVE-2016-3088 patches CVE-2016-4437 patches CVE-2021-39144 +5 more
Open
activemq-5.19.6 Security relevant
Security fixes
  • XBeanBrokerFactory URL protocol type restrictions
  • Remote file filtering for XBeanBrokerFactory
Full changelog

What's Changed

  • Bump to 5.19.6-SNAPSHOT version by @jbonofre in https://github.com/apache/activemq/pull/1893
  • [5.19.x] SSL handshake write timeout enforcement (#1883) by @cshannon in https://github.com/apache/activemq/pull/1896
  • [5.19.x] Minor bug fix for BrokerView#validateAllowedUri (#1900) by @cshannon in https://github.com/apache/activemq/pull/1903
  • [5.19.x] Restrict URL protocol types loaded by XBeanBrokerFactory (#1910) by @cshannon in https://github.com/apache/activemq/pull/1916
  • [5.19.x] Make brokerName immutable in RegionBroker (#1917) by @cshannon in https://github.com/apache/activemq/pull/1924
  • [5.19.x] Add Http discovery transport to denied list for JMX (#1918) by @cshannon in https://github.com/apache/activemq/pull/1926
  • [5.19.x] Update resource cleanup on queueBrowse servlet (#1912) by @cshannon in https://github.com/apache/activemq/pull/1927
  • [5.19.x] Update DestinationView uri resolution (#1914) by @cshannon in https://github.com/apache/activemq/pull/1929
  • fix(webconsole): the webconsole now redirect to the slave.jsp when required [5.19.x] by @jbonofre in https://github.com/apache/activemq/pull/1936
  • [5.19.x] Queue browse improvements in webconsole (#1938) by @cshannon in https://github.com/apache/activemq/pull/1943
  • [5.19.x] Add more transport types to the denied list for JMX (#1949) by @cshannon in https://github.com/apache/activemq/pull/1953
  • [5.19.x] Add remote file filtering for XBeanBrokerFactory (#1950) by @cshannon in https://github.com/apache/activemq/pull/1955

Full Changelog: https://github.com/apache/activemq/compare/activemq-5.19.5...activemq-5.19.6

View release on GitHub
activemq-6.2.5 Security relevant
Security fixes
  • XBeanBrokerFactory URL protocol type restrictions
  • Remote file filtering for XBeanBrokerFactory
Full changelog

What's Changed

  • Bump to 6.2.5-SNAPSHOT version by @jbonofre in https://github.com/apache/activemq/pull/1892
  • [6.2.x] SSL handshake write timeout enforcement (#1883) by @cshannon in https://github.com/apache/activemq/pull/1894
  • [6.2.x] Minor bug fix for BrokerView#validateAllowedUri (#1900) by @cshannon in https://github.com/apache/activemq/pull/1902
  • [6.2.x] Restrict URL protocol types loaded by XBeanBrokerFactory (#1910) by @cshannon in https://github.com/apache/activemq/pull/1915
  • compilation-fix by @cshannon in https://github.com/apache/activemq/pull/1919
  • [6.2.x] Make brokerName immutable in RegionBroker (#1917) by @cshannon in https://github.com/apache/activemq/pull/1923
  • [6.2.x] Add Http discovery transport to denied list for JMX (#1918) by @cshannon in https://github.com/apache/activemq/pull/1925
  • [6.2.x] Update resource cleanup on queueBrowse servlet (#1912) by @cshannon in https://github.com/apache/activemq/pull/1928
  • [6.2.x] Update DestinationView uri resolution (#1914) by @cshannon in https://github.com/apache/activemq/pull/1930
  • fix(webconsole): the webconsole now redirect to the slave.jsp when required (slave broker with startAsync="true") [6.2.x] by @jbonofre in https://github.com/apache/activemq/pull/1934
  • [6.2.x] Queue browse improvements in webconsole (#1938) by @cshannon in https://github.com/apache/activemq/pull/1942
  • [6.2.x] Add more transport types to the denied list for JMX (#1949) by @cshannon in https://github.com/apache/activemq/pull/1952
  • [6.2.x] Add remote file filtering for XBeanBrokerFactory (#1950) by @cshannon in https://github.com/apache/activemq/pull/1954

Full Changelog: https://github.com/apache/activemq/compare/activemq-6.2.4...activemq-6.2.5

View release on GitHub
activemq-5.19.5 Bug fix
Notable features
  • Queue message purging support (purge first N messages)
View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
2,432
Forks
1,490
Languages
Java JavaScript HTML
View on GitHub Homepage Documentation

Install & Platforms

Install via
binary docker

Similar tools

UQLM
Apache Maven

Beta — feedback welcome: [email protected]