Emqx Emqx

  1. Vendors
  2. Emqx

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Emqx product.

RSS Feeds for Emqx security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Emqx products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Emqx Sorted by Most Security Vulnerabilities since 2018

Emqx Nanomq21 vulnerabilities

Emqx3 vulnerabilities

Emqx Neuron2 vulnerabilities

Emqx Emq X Broker1 vulnerability

By the Year

In 2026 there have been 2 vulnerabilities in Emqx with an average score of 4.4 out of ten. Last year, in 2025 Emqx had 7 security vulnerabilities published. Right now, Emqx is on track to have less security vulnerabilities in 2026 than it did last year. Last year, the average CVE base score was greater by 2.25




Year Vulnerabilities Average Score
2026 2 4.40
2025 7 6.65
2024 7 7.93
2023 11 7.25
2022 1 5.30
2021 1 7.50

It may take a day or so for new Emqx vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Emqx Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-8741 May 17, 2026
EMQX <=6.2.0 Remote Race Condition in QoS2 PUBLISH Handler A vulnerability has been found in EMQX up to 6.2.0. This affects an unknown function of the file apps/emqx/src/emqx_persistent_session_ds.erl of the component QoS 2 PUBLISH Packet Handler. Such manipulation leads to race condition. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is reported as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure.
Emqx
CVE-2026-30867 Apr 02, 2026
CocoaMQTT prior 2.2.2: malformed RETAINED MQTT payload causes remote crash (DoS) CocoaMQTT is a MQTT 5.0 client library for iOS and macOS written in Swift. Prior to version 2.2.2, a vulnerability exists in the packet parsing logic of CocoaMQTT that allows an attacker (or a compromised/malicious MQTT broker) to remotely crash the host iOS/macOS/tvOS application. If an attacker publishes the 4-byte malformed payload to a shared topic with the RETAIN flag set to true, the MQTT broker will persist the payload. Any time a vulnerable client connects and subscribes to that topic, the broker will automatically push the malformed packet. The app will instantly crash in the background before the user can even interact with it. This effectively "bricks" the mobile application (a persistent DoS) until the retained message is manually wiped from the broker database. This issue has been patched in version 2.2.2.
CVE-2025-62413 Oct 16, 2025
MQTTX v1.12.0 XSS via Message Viewer MQTTX is an MQTT 5.0 desktop client and MQTT testing tool. A Cross-Site Scripting (XSS) vulnerability was introduced in MQTTX v1.12.0 due to improper handling of MQTT message payload rendering. Malicious payloads containing HTML or JavaScript could be rendered directly in the MQTTX message viewer. If exploited, this could allow attackers to execute arbitrary scripts in the context of the application UI for example, attempting to access MQTT connection credentials or trigger unintended actions through script injection. This vulnerability is especially relevant when MQTTX is used with brokers in untrusted or multi-tenant environments, where message content cannot be fully controlled. This vulnerability is fixed in 1.12.1.
CVE-2024-42655 Jul 29, 2025
Access Control RCE in NanoMQ v0.21.10 via MQTT Wildcards An access control issue in NanoMQ v0.21.10 allows attackers to bypass security restrictions and access sensitive system topic messages using MQTT wildcard characters.
Nanomq
CVE-2024-42651 Jul 29, 2025
NanoMQ v0.17.9 HEAP UAF in sub_Ctx_handle causes DoS via SUBSCRIBE NanoMQ v0.17.9 was discovered to contain a heap use-after-free vulnerability via the component sub_Ctx_handle. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted SUBSCRIBE message.
Nanomq
CVE-2024-42650 Jul 15, 2025
NanoMQ 0.17.5 DoS via segfault in /nanomq/pub_handler.c NanoMQ 0.17.5 was discovered to contain a segmentation fault via the component /nanomq/pub_handler.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted PUBLISH message.
Nanomq
CVE-2024-42649 Jul 14, 2025
NanoMQ v0.22.10 memory leak via crafted PUBLISH, DoS NanoMQ v0.22.10 was discovered to contain a memory leak which allows attackers to cause a Denial of Service (DoS) via a crafted PUBLISH message.
Nanomq
CVE-2024-42648 Jul 14, 2025
NanoMQ 0.22.10 Heap Overflow in CONNECT Stack DoS Vulnerability NanoMQ v0.22.10 was discovered to contain a heap overflow which allows attackers to cause a Denial of Service (DoS) via a crafted CONNECT message.
Nanomq
CVE-2024-42646 Jul 14, 2025
NanoMQ v0.21.10 DoS • Segfault via Crafted Messages A segmentation fault in NanoMQ v0.21.10 allows attackers to cause a Denial of Service (DoS) via crafted messages.
Nanomq
CVE-2024-10964 Nov 07, 2024
EMQX Neuron 2.10.0 Buffer Overflow in Plugin Handler A vulnerability classified as critical has been found in emqx neuron up to 2.10.0. Affected is the function handle_add_plugin in the library cmd.library of the file plugins/restful/plugin_handle.c. The manipulation leads to buffer overflow. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue.
Neuron
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.