Primary

Context

RabbitMQ Unsanitized Vhost Names Allow Cross-Site Scripting in Management UI

Vulnerability

Patched

A cross-site scripting (XSS) vulnerability has been identified in RabbitMQ's management UI, specifically in versions 3.7.0 prior to 4.1.2 and 4.0.13. The issue arises from unsanitized virtual host names that can be exploited if an attacker manages to force a virtual host to restart. This vulnerability allows for the injection of malicious scripts into the management UI pages that list virtual hosts.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create a virtual host with a name that includes unsanitized data, such as a script. Then, force the virtual host to crash and restart it using the management UI. This will trigger the XSS payload to execute when the vhost page is visited.

Remediation

Users can upgrade to RabbitMQ versions 4.1.2 or 4.0.13 to address this vulnerability.

Added: May 27, 2026, 5:10 PM

Updated: May 27, 2026, 5:10 PM

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

5.4

exploitability

4.1

remediation

7.7

relevance

9.4

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

5.4

exploitability

4.1

remediation

7.7

relevance

9.4

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

RabbitMQ Unsanitized Vhost Names Allow Cross-Site Scripting in Management UI

Vulnerability

Impact

Reproduction

Remediation

Affected Products

RabbitMQ

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating