SB2026050694 - Stored XSS in RabbitMQ management UI
Published: May 6, 2026
Security Bulletin ID
SB2026050694
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Stored cross-site scripting (CVE-ID: N/A)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper neutralization of script-related html tags in a web page in the management UI pages that list virtual hosts when rendering unsanitized virtual host names in restart forms. A remote privileged user can create a crafted virtual host name and force the virtual host to restart to disclose sensitive information.
User interaction is required because a victim must visit the page of the malicious virtual host.
Remediation
Install update from vendor's website.