Vulnerability Details CVE-2026-57213
RabbitMQ is a messaging and streaming broker. Prior to 3.13.14, 4.0.19, 4.1.10, and 4.2.5, the rabbitmq_federation_management plugin renders the consumer_tag field on the Federation Status page without HTML escaping, allowing a user who can configure a federation upstream or policy to execute JavaScript in the browser of a user viewing that page. This issue is fixed in versions 3.13.14, 4.0.19, 4.1.10, and 4.2.5.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 24.5%
CVSS Severity
CVSS v3 Score 4.8
Products affected by CVE-2026-57213
-
cpe:2.3:a:broadcom:rabbitmq_server:3.13.0
-
cpe:2.3:a:broadcom:rabbitmq_server:3.13.1
-
cpe:2.3:a:broadcom:rabbitmq_server:3.13.2
-
cpe:2.3:a:broadcom:rabbitmq_server:3.13.3
-
cpe:2.3:a:broadcom:rabbitmq_server:3.13.4
-
cpe:2.3:a:broadcom:rabbitmq_server:3.13.5
-
cpe:2.3:a:broadcom:rabbitmq_server:3.13.6
-
cpe:2.3:a:broadcom:rabbitmq_server:3.13.7
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.0
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.1
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.13
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.2
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.3
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.4
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.5
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.6
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.7
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.9
-
cpe:2.3:a:broadcom:rabbitmq_server:4.1.0
-
cpe:2.3:a:broadcom:rabbitmq_server:4.1.1
-
cpe:2.3:a:broadcom:rabbitmq_server:4.1.2
-
cpe:2.3:a:broadcom:rabbitmq_server:4.1.3
-
cpe:2.3:a:broadcom:rabbitmq_server:4.1.4
-
cpe:2.3:a:broadcom:rabbitmq_server:4.1.5
-
cpe:2.3:a:broadcom:rabbitmq_server:4.1.6
-
cpe:2.3:a:broadcom:rabbitmq_server:4.1.7
-
cpe:2.3:a:broadcom:rabbitmq_server:4.1.8
-
cpe:2.3:a:broadcom:rabbitmq_server:4.2.0
-
cpe:2.3:a:broadcom:rabbitmq_server:4.2.1
-
cpe:2.3:a:broadcom:rabbitmq_server:4.2.2
-
cpe:2.3:a:broadcom:rabbitmq_server:4.2.3
-
cpe:2.3:a:broadcom:rabbitmq_server:4.2.4