Emqx

EMQX <=6.2.0 Remote Race Condition in QoS2 PUBLISH Handler
CVE-2026-8741 3.1 - Low - May 17, 2026

A vulnerability has been found in EMQX up to 6.2.0. This affects an unknown function of the file apps/emqx/src/emqx_persistent_session_ds.erl of the component QoS 2 PUBLISH Packet Handler. Such manipulation leads to race condition. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is reported as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure.

Race Condition

EMQX v4.3.8 emqx_sn Plugin Directory Traversal via .txt Upload
CVE-2023-37781 6.5 - Medium - July 17, 2023

An issue in the emqx_sn plugin of EMQX v4.3.8 allows attackers to execute a directory traversal via uploading a crafted .txt file.

Directory traversal

EMQ X Dashboard V3.0.0 is affected by username enumeration in the "/api /v3/auth" interface
CVE-2021-46434 5.3 - Medium - March 28, 2022

EMQ X Dashboard V3.0.0 is affected by username enumeration in the "/api /v3/auth" interface. When a user login, the application returns different results depending on whether the account is correct, that allowed an attacker to determine if a given username was valid