{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/rabbitmq/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-44839"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["RabbitMQ"],"_cs_severities":["medium"],"_cs_tags":["xss","rabbitmq","cve-2026-44839","web-application"],"_cs_type":"threat","_cs_vendors":["RabbitMQ"],"content_html":"\u003cp\u003eCVE-2026-44839 describes a cross-site scripting (XSS) vulnerability affecting the RabbitMQ management UI. The vulnerability stems from the improper sanitization of virtual host (vhost) names. An attacker could potentially inject malicious JavaScript code into a vhost name. When an administrator or user interacts with the management UI and views the affected vhost, the injected JavaScript code could be executed in their browser. This could lead to session hijacking, defacement of the management UI, or other malicious activities within the context of the user\u0026rsquo;s session. Exploitation would require the attacker to have the ability to create or modify vhost names.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to a RabbitMQ account with privileges to create or modify vhosts.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious vhost name containing JavaScript code, such as \u003ccode\u003e\u0026lt;script\u0026gt;alert(\u0026quot;XSS\u0026quot;);\u0026lt;/script\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker creates or modifies an existing vhost with the crafted, malicious name through the RabbitMQ management UI or API.\u003c/li\u003e\n\u003cli\u003eA user, typically an administrator, logs into the RabbitMQ management UI.\u003c/li\u003e\n\u003cli\u003eThe management UI displays the list of vhosts, including the attacker\u0026rsquo;s maliciously named vhost.\u003c/li\u003e\n\u003cli\u003eThe unsanitized vhost name is rendered in the user\u0026rsquo;s browser, executing the embedded JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe injected script executes in the context of the user\u0026rsquo;s browser session, potentially stealing cookies or performing other actions on behalf of the user.\u003c/li\u003e\n\u003cli\u003eAttacker uses stolen session cookies to impersonate the administrator or other privileged user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-44839 allows an attacker to execute arbitrary JavaScript code within the RabbitMQ management UI in the context of a user\u0026rsquo;s browser. This can lead to account compromise through session hijacking, potentially granting the attacker full administrative control over the RabbitMQ server. The impact ranges from data exfiltration to denial of service, depending on the privileges of the compromised account and the attacker\u0026rsquo;s objectives. The number of affected users depends on the RabbitMQ deployment size.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade RabbitMQ to a patched version that includes proper sanitization of vhost names to prevent XSS attacks (refer to vendor advisory).\u003c/li\u003e\n\u003cli\u003eImplement input validation and output encoding on the RabbitMQ management UI to sanitize vhost names (and other user-controlled inputs).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious RabbitMQ vhost Creation with Script Tags\u0026rdquo; to identify attempts to inject malicious code via vhost names.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit RabbitMQ user privileges to minimize the impact of potential account compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-31T07:27:23Z","date_published":"2026-05-31T07:27:23Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-44839-rabbitmq-xss/","summary":"CVE-2026-44839 is a cross-site scripting (XSS) vulnerability in the RabbitMQ management UI that arises from unsanitized virtual host (vhost) names, potentially allowing an attacker to execute arbitrary JavaScript in the context of a user's browser.","title":"CVE-2026-44839: RabbitMQ Management UI XSS via Unsanitized vhost Names","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-44839-rabbitmq-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — RabbitMQ","version":"https://jsonfeed.org/version/1.1"}