{"url":"http://public2.vulnerablecode.io/api/packages/516302?format=json","purl":"pkg:deb/debian/mosquitto@1.5.7-1%2Bdeb10u1","type":"deb","namespace":"debian","name":"mosquitto","version":"1.5.7-1+deb10u1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.0.11-1.2+deb12u2","latest_non_vulnerable_version":"2.0.11-1.2+deb12u2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/6961?format=json","vulnerability_id":"VCID-2ay2-q2hx-zfb7","summary":"access restriction bypass","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-34434","reference_id":"","reference_type":"","scores":[{"value":"0.00363","scoring_system":"epss","scoring_elements":"0.58756","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00363","scoring_system":"epss","scoring_elements":"0.58704","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00363","scoring_system":"epss","scoring_elements":"0.58751","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00363","scoring_system":"epss","scoring_elements":"0.58747","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00363","scoring_system":"epss","scoring_elements":"0.58748","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00363","scoring_system":"epss","scoring_elements":"0.58733","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-34434"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34434","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34434"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0809","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0809"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28366","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28366"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3592","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3592"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993400","reference_id":"993400","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993400"},{"reference_url":"https://security.archlinux.org/AVG-2332","reference_id":"AVG-2332","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2332"},{"reference_url":"https://usn.ubuntu.com/6492-1/","reference_id":"USN-6492-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6492-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/196196?format=json","purl":"pkg:deb/debian/mosquitto@2.0.11-1%2Bdeb11u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-fy1a-esbh-57es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@2.0.11-1%252Bdeb11u1"}],"aliases":["CVE-2021-34434"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2ay2-q2hx-zfb7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93467?format=json","vulnerability_id":"VCID-4e4y-5x63-6ycm","summary":"In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-3592.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-3592.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-3592","reference_id":"","reference_type":"","scores":[{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20548","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20535","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20495","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20427","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20435","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-3592"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34434","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34434"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0809","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0809"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28366","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28366"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3592","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3592"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2236882","reference_id":"2236882","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2236882"},{"reference_url":"https://security.gentoo.org/glsa/202401-09","reference_id":"GLSA-202401-09","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202401-09"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0797","reference_id":"RHSA-2024:0797","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0797"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1061","reference_id":"RHSA-2024:1061","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1061"},{"reference_url":"https://usn.ubuntu.com/6492-1/","reference_id":"USN-6492-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6492-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/196196?format=json","purl":"pkg:deb/debian/mosquitto@2.0.11-1%2Bdeb11u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-fy1a-esbh-57es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@2.0.11-1%252Bdeb11u1"}],"aliases":["CVE-2023-3592"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4e4y-5x63-6ycm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93455?format=json","vulnerability_id":"VCID-5fj7-92ra-cbgx","summary":"In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT v5 sent a crafted CONNACK message to the broker, a NULL pointer dereference would occur.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28166","reference_id":"","reference_type":"","scores":[{"value":"0.00583","scoring_system":"epss","scoring_elements":"0.69416","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00583","scoring_system":"epss","scoring_elements":"0.69368","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00583","scoring_system":"epss","scoring_elements":"0.69408","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00583","scoring_system":"epss","scoring_elements":"0.69415","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00583","scoring_system":"epss","scoring_elements":"0.69407","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00583","scoring_system":"epss","scoring_elements":"0.69395","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28166"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28166","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28166"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986701","reference_id":"986701","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986701"},{"reference_url":"https://security.archlinux.org/AVG-1793","reference_id":"AVG-1793","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1793"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/196196?format=json","purl":"pkg:deb/debian/mosquitto@2.0.11-1%2Bdeb11u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-fy1a-esbh-57es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@2.0.11-1%252Bdeb11u1"}],"aliases":["CVE-2021-28166"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5fj7-92ra-cbgx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93470?format=json","vulnerability_id":"VCID-7dtb-hmj1-3yev","summary":"In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted PUBLISH packet to the broker a double free will occur with a subsequent crash of the broker.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-3935","reference_id":"","reference_type":"","scores":[{"value":"0.00385","scoring_system":"epss","scoring_elements":"0.60104","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00385","scoring_system":"epss","scoring_elements":"0.60096","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00385","scoring_system":"epss","scoring_elements":"0.60077","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00385","scoring_system":"epss","scoring_elements":"0.60094","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00385","scoring_system":"epss","scoring_elements":"0.60107","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-3935"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3935","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3935"},{"reference_url":"https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/197","reference_id":"197","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T13:27:07Z/"}],"url":"https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/197"},{"reference_url":"https://github.com/eclipse-mosquitto/mosquitto/commit/ae7a804dadac8f2aaedb24336df8496a9680fda9","reference_id":"ae7a804dadac8f2aaedb24336df8496a9680fda9","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T13:27:07Z/"}],"url":"https://github.com/eclipse-mosquitto/mosquitto/commit/ae7a804dadac8f2aaedb24336df8496a9680fda9"},{"reference_url":"https://usn.ubuntu.com/7441-1/","reference_id":"USN-7441-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7441-1/"},{"reference_url":"https://mosquitto.org/blog/2024/10/version-2-0-19-released/","reference_id":"version-2-0-19-released","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T13:27:07Z/"}],"url":"https://mosquitto.org/blog/2024/10/version-2-0-19-released/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/196197?format=json","purl":"pkg:deb/debian/mosquitto@2.0.11-1.2%2Bdeb12u2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@2.0.11-1.2%252Bdeb12u2"}],"aliases":["CVE-2024-3935"],"risk_score":2.7,"exploitability":"0.5","weighted_severity":"5.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7dtb-hmj1-3yev"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93452?format=json","vulnerability_id":"VCID-7esp-wwn3-dqah","summary":"If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry interval, then a use after free error occurs, which has the potential to cause a crash in some situations.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11778","reference_id":"","reference_type":"","scores":[{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.57627","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.57679","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.57687","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.57678","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.57665","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.57682","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11778"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11778","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11778"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/196196?format=json","purl":"pkg:deb/debian/mosquitto@2.0.11-1%2Bdeb11u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-fy1a-esbh-57es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@2.0.11-1%252Bdeb11u1"}],"aliases":["CVE-2019-11778"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7esp-wwn3-dqah"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93464?format=json","vulnerability_id":"VCID-augs-54rz-abcf","summary":"In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-0809.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-0809.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-0809","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16096","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16063","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.1618","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16171","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16126","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.1604","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-0809"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34434","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34434"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0809","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0809"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28366","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28366"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3592","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3592"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2236882","reference_id":"2236882","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2236882"},{"reference_url":"https://security.gentoo.org/glsa/202401-09","reference_id":"GLSA-202401-09","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-20T14:51:17Z/"}],"url":"https://security.gentoo.org/glsa/202401-09"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0797","reference_id":"RHSA-2024:0797","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0797"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1061","reference_id":"RHSA-2024:1061","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1061"},{"reference_url":"https://usn.ubuntu.com/6492-1/","reference_id":"USN-6492-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6492-1/"},{"reference_url":"https://mosquitto.org/blog/2023/08/version-2-0-16-released/","reference_id":"version-2-0-16-released","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-20T14:51:17Z/"}],"url":"https://mosquitto.org/blog/2023/08/version-2-0-16-released/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/196196?format=json","purl":"pkg:deb/debian/mosquitto@2.0.11-1%2Bdeb11u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-fy1a-esbh-57es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@2.0.11-1%252Bdeb11u1"}],"aliases":["CVE-2023-0809"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-augs-54rz-abcf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93462?format=json","vulnerability_id":"VCID-cdbk-za61-skby","summary":"In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41039","reference_id":"","reference_type":"","scores":[{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48433","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48496","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48502","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48484","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48455","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48467","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41039"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41039","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41039"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001028","reference_id":"1001028","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001028"},{"reference_url":"https://usn.ubuntu.com/6492-1/","reference_id":"USN-6492-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6492-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/196196?format=json","purl":"pkg:deb/debian/mosquitto@2.0.11-1%2Bdeb11u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-fy1a-esbh-57es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@2.0.11-1%252Bdeb11u1"}],"aliases":["CVE-2021-41039"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cdbk-za61-skby"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56100?format=json","vulnerability_id":"VCID-ey4s-txkt-wbe7","summary":"Out-of-bounds Write\nIn Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-10525.json","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-10525.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-10525","reference_id":"","reference_type":"","scores":[{"value":"0.17507","scoring_system":"epss","scoring_elements":"0.95215","published_at":"2026-06-09T12:55:00Z"},{"value":"0.17507","scoring_system":"epss","scoring_elements":"0.95211","published_at":"2026-06-06T12:55:00Z"},{"value":"0.17507","scoring_system":"epss","scoring_elements":"0.95213","published_at":"2026-06-07T12:55:00Z"},{"value":"0.17507","scoring_system":"epss","scoring_elements":"0.95212","published_at":"2026-06-08T12:55:00Z"},{"value":"0.17889","scoring_system":"epss","scoring_elements":"0.95274","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-10525"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10525","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10525"},{"reference_url":"https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/319","reference_id":"","reference_type":"","scores":[],"url":"https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/319"},{"reference_url":"https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/190","reference_id":"190","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T13:33:25Z/"}],"url":"https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/190"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2322724","reference_id":"2322724","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2322724"},{"reference_url":"https://github.com/eclipse-mosquitto/mosquitto/commit/8ab20b4ba4204fdcdec78cb4d9f03c944a6e0e1c","reference_id":"8ab20b4ba4204fdcdec78cb4d9f03c944a6e0e1c","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T13:33:25Z/"}],"url":"https://github.com/eclipse-mosquitto/mosquitto/commit/8ab20b4ba4204fdcdec78cb4d9f03c944a6e0e1c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-10525","reference_id":"CVE-2024-10525","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-10525"},{"reference_url":"https://usn.ubuntu.com/7441-1/","reference_id":"USN-7441-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7441-1/"},{"reference_url":"https://mosquitto.org/blog/2024/10/version-2-0-19-released/","reference_id":"version-2-0-19-released","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T13:33:25Z/"}],"url":"https://mosquitto.org/blog/2024/10/version-2-0-19-released/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/196197?format=json","purl":"pkg:deb/debian/mosquitto@2.0.11-1.2%2Bdeb12u2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@2.0.11-1.2%252Bdeb12u2"}],"aliases":["CVE-2024-10525"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ey4s-txkt-wbe7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93458?format=json","vulnerability_id":"VCID-g268-53d5-3qbq","summary":"In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur, which could be used to provide a DoS attack against the broker.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-34431","reference_id":"","reference_type":"","scores":[{"value":"0.0037","scoring_system":"epss","scoring_elements":"0.59168","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0037","scoring_system":"epss","scoring_elements":"0.59216","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0037","scoring_system":"epss","scoring_elements":"0.5922","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0037","scoring_system":"epss","scoring_elements":"0.59213","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0037","scoring_system":"epss","scoring_elements":"0.59195","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0037","scoring_system":"epss","scoring_elements":"0.59212","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-34431"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34431","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34431"},{"reference_url":"https://usn.ubuntu.com/6492-1/","reference_id":"USN-6492-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6492-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/196196?format=json","purl":"pkg:deb/debian/mosquitto@2.0.11-1%2Bdeb11u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-fy1a-esbh-57es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@2.0.11-1%252Bdeb11u1"}],"aliases":["CVE-2021-34431"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g268-53d5-3qbq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93459?format=json","vulnerability_id":"VCID-kbu7-gwry-bufu","summary":"In Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-34432","reference_id":"","reference_type":"","scores":[{"value":"0.00565","scoring_system":"epss","scoring_elements":"0.68788","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00565","scoring_system":"epss","scoring_elements":"0.68828","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00565","scoring_system":"epss","scoring_elements":"0.68836","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00565","scoring_system":"epss","scoring_elements":"0.68813","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00565","scoring_system":"epss","scoring_elements":"0.68833","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-34432"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34432","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34432"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/196196?format=json","purl":"pkg:deb/debian/mosquitto@2.0.11-1%2Bdeb11u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-fy1a-esbh-57es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@2.0.11-1%252Bdeb11u1"}],"aliases":["CVE-2021-34432"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kbu7-gwry-bufu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93466?format=json","vulnerability_id":"VCID-p819-s2sz-67ea","summary":"The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28366.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28366.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28366","reference_id":"","reference_type":"","scores":[{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.30199","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.30243","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.30214","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.30183","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.30741","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28366"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34434","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34434"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0809","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0809"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28366","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28366"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3592","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3592"},{"reference_url":"https://www.compass-security.com/fileadmin/Research/Advisories/2023_02_CSNC-2023-001_Eclipse_Mosquitto_Memory_Leak.txt","reference_id":"2023_02_CSNC-2023-001_Eclipse_Mosquitto_Memory_Leak.txt","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-26T13:57:37Z/"}],"url":"https://www.compass-security.com/fileadmin/Research/Advisories/2023_02_CSNC-2023-001_Eclipse_Mosquitto_Memory_Leak.txt"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2236882","reference_id":"2236882","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2236882"},{"reference_url":"https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9","reference_id":"6113eac95a9df634fbc858be542c4a0456bfe7b9","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-26T13:57:37Z/"}],"url":"https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9"},{"reference_url":"https://www.debian.org/security/2023/dsa-5511","reference_id":"dsa-5511","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-26T13:57:37Z/"}],"url":"https://www.debian.org/security/2023/dsa-5511"},{"reference_url":"https://security.gentoo.org/glsa/202401-09","reference_id":"GLSA-202401-09","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-26T13:57:37Z/"}],"url":"https://security.gentoo.org/glsa/202401-09"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJ2FMBGVVQEQWTTQB7YLKTAHMX2UM66X/","reference_id":"KJ2FMBGVVQEQWTTQB7YLKTAHMX2UM66X","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-26T13:57:37Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJ2FMBGVVQEQWTTQB7YLKTAHMX2UM66X/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0797","reference_id":"RHSA-2024:0797","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0797"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1061","reference_id":"RHSA-2024:1061","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1061"},{"reference_url":"https://usn.ubuntu.com/6492-1/","reference_id":"USN-6492-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6492-1/"},{"reference_url":"https://github.com/eclipse/mosquitto/compare/v2.0.15...v2.0.16","reference_id":"v2.0.15...v2.0.16","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-26T13:57:37Z/"}],"url":"https://github.com/eclipse/mosquitto/compare/v2.0.15...v2.0.16"},{"reference_url":"https://mosquitto.org/blog/2023/08/version-2-0-16-released/","reference_id":"version-2-0-16-released","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-26T13:57:37Z/"}],"url":"https://mosquitto.org/blog/2023/08/version-2-0-16-released/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/196196?format=json","purl":"pkg:deb/debian/mosquitto@2.0.11-1%2Bdeb11u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-fy1a-esbh-57es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@2.0.11-1%252Bdeb11u1"}],"aliases":["CVE-2023-28366"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p819-s2sz-67ea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93453?format=json","vulnerability_id":"VCID-s1th-yxbn-r3br","summary":"In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11779","reference_id":"","reference_type":"","scores":[{"value":"0.16327","scoring_system":"epss","scoring_elements":"0.94975","published_at":"2026-06-04T12:55:00Z"},{"value":"0.16327","scoring_system":"epss","scoring_elements":"0.94983","published_at":"2026-06-05T12:55:00Z"},{"value":"0.16327","scoring_system":"epss","scoring_elements":"0.94984","published_at":"2026-06-06T12:55:00Z"},{"value":"0.16327","scoring_system":"epss","scoring_elements":"0.94986","published_at":"2026-06-08T12:55:00Z"},{"value":"0.16327","scoring_system":"epss","scoring_elements":"0.94991","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11779"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11779","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11779"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940654","reference_id":"940654","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940654"},{"reference_url":"https://usn.ubuntu.com/4137-1/","reference_id":"USN-4137-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4137-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/196196?format=json","purl":"pkg:deb/debian/mosquitto@2.0.11-1%2Bdeb11u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-fy1a-esbh-57es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@2.0.11-1%252Bdeb11u1"}],"aliases":["CVE-2019-11779"],"risk_score":0.1,"exploitability":"0.5","weighted_severity":"0.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s1th-yxbn-r3br"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/92207?format=json","vulnerability_id":"VCID-ucup-r7be-4uhq","summary":"Mosquitto: Possible Denial of Service due to excessive CPE consumption","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-5632.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-5632.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-5632","reference_id":"","reference_type":"","scores":[{"value":"0.00091","scoring_system":"epss","scoring_elements":"0.25608","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00091","scoring_system":"epss","scoring_elements":"0.25713","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00091","scoring_system":"epss","scoring_elements":"0.25704","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00091","scoring_system":"epss","scoring_elements":"0.25658","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00091","scoring_system":"epss","scoring_elements":"0.25599","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-5632"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5632","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5632"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/eclipse/mosquitto/commit/18bad1ff32435e523d7507e9b2ce0010124a8f2d","reference_id":"18bad1ff32435e523d7507e9b2ce0010124a8f2d","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-13T14:50:16Z/"}],"url":"https://github.com/eclipse/mosquitto/commit/18bad1ff32435e523d7507e9b2ce0010124a8f2d"},{"reference_url":"https://github.com/eclipse/mosquitto/pull/2053","reference_id":"2053","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-13T14:50:16Z/"}],"url":"https://github.com/eclipse/mosquitto/pull/2053"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2244840","reference_id":"2244840","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2244840"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/196196?format=json","purl":"pkg:deb/debian/mosquitto@2.0.11-1%2Bdeb11u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-fy1a-esbh-57es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@2.0.11-1%252Bdeb11u1"}],"aliases":["CVE-2023-5632"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ucup-r7be-4uhq"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93448?format=json","vulnerability_id":"VCID-1rn3-3fjm-gfcs","summary":"When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy. The new behaviour is to have an empty ACL file mean that all access is denied, which is not a useful configuration but is not unexpected.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-12550","reference_id":"","reference_type":"","scores":[{"value":"0.00396","scoring_system":"epss","scoring_elements":"0.6079","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00396","scoring_system":"epss","scoring_elements":"0.60797","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00396","scoring_system":"epss","scoring_elements":"0.60786","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00396","scoring_system":"epss","scoring_elements":"0.60769","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00396","scoring_system":"epss","scoring_elements":"0.60784","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0047","scoring_system":"epss","scoring_elements":"0.64915","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-12550"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12546","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12546"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12550","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12550"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12551","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12551"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921976","reference_id":"921976","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921976"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/515640?format=json","purl":"pkg:deb/debian/mosquitto@1.4.10-3%2Bdeb9u4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1rn3-3fjm-gfcs"},{"vulnerability":"VCID-2ay2-q2hx-zfb7"},{"vulnerability":"VCID-4e4y-5x63-6ycm"},{"vulnerability":"VCID-54tv-3j1m-kqaf"},{"vulnerability":"VCID-5fj7-92ra-cbgx"},{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-7esp-wwn3-dqah"},{"vulnerability":"VCID-augs-54rz-abcf"},{"vulnerability":"VCID-cdbk-za61-skby"},{"vulnerability":"VCID-ckh9-pyk8-3bgn"},{"vulnerability":"VCID-ddur-xyfp-mfaj"},{"vulnerability":"VCID-dgsa-yzf4-a3hm"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-f5uh-fnmg-8uae"},{"vulnerability":"VCID-g268-53d5-3qbq"},{"vulnerability":"VCID-hk67-xs7f-jfg7"},{"vulnerability":"VCID-kbu7-gwry-bufu"},{"vulnerability":"VCID-p819-s2sz-67ea"},{"vulnerability":"VCID-s1th-yxbn-r3br"},{"vulnerability":"VCID-ucup-r7be-4uhq"},{"vulnerability":"VCID-upah-d5xc-5yhc"},{"vulnerability":"VCID-xndw-wzg3-akdk"},{"vulnerability":"VCID-y7r2-b932-gqhj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@1.4.10-3%252Bdeb9u4"},{"url":"http://public2.vulnerablecode.io/api/packages/516302?format=json","purl":"pkg:deb/debian/mosquitto@1.5.7-1%2Bdeb10u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ay2-q2hx-zfb7"},{"vulnerability":"VCID-4e4y-5x63-6ycm"},{"vulnerability":"VCID-5fj7-92ra-cbgx"},{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-7esp-wwn3-dqah"},{"vulnerability":"VCID-augs-54rz-abcf"},{"vulnerability":"VCID-cdbk-za61-skby"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-g268-53d5-3qbq"},{"vulnerability":"VCID-kbu7-gwry-bufu"},{"vulnerability":"VCID-p819-s2sz-67ea"},{"vulnerability":"VCID-s1th-yxbn-r3br"},{"vulnerability":"VCID-ucup-r7be-4uhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@1.5.7-1%252Bdeb10u1"}],"aliases":["CVE-2018-12550"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1rn3-3fjm-gfcs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93451?format=json","vulnerability_id":"VCID-54tv-3j1m-kqaf","summary":"Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-20145","reference_id":"","reference_type":"","scores":[{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.43862","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.43932","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.4394","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.43916","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.43881","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.43891","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-20145"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20145","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20145"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516302?format=json","purl":"pkg:deb/debian/mosquitto@1.5.7-1%2Bdeb10u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ay2-q2hx-zfb7"},{"vulnerability":"VCID-4e4y-5x63-6ycm"},{"vulnerability":"VCID-5fj7-92ra-cbgx"},{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-7esp-wwn3-dqah"},{"vulnerability":"VCID-augs-54rz-abcf"},{"vulnerability":"VCID-cdbk-za61-skby"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-g268-53d5-3qbq"},{"vulnerability":"VCID-kbu7-gwry-bufu"},{"vulnerability":"VCID-p819-s2sz-67ea"},{"vulnerability":"VCID-s1th-yxbn-r3br"},{"vulnerability":"VCID-ucup-r7be-4uhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@1.5.7-1%252Bdeb10u1"}],"aliases":["CVE-2018-20145"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-54tv-3j1m-kqaf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93442?format=json","vulnerability_id":"VCID-ckh9-pyk8-3bgn","summary":"The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that do reject invalid UTF-8 strings to disconnect themselves from the broker by sending a topic string which is not valid UTF-8, and so cause a denial of service for the clients.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7653","reference_id":"","reference_type":"","scores":[{"value":"0.0093","scoring_system":"epss","scoring_elements":"0.76517","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0093","scoring_system":"epss","scoring_elements":"0.76518","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0093","scoring_system":"epss","scoring_elements":"0.76511","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0093","scoring_system":"epss","scoring_elements":"0.76481","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0093","scoring_system":"epss","scoring_elements":"0.76506","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0093","scoring_system":"epss","scoring_elements":"0.76497","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7653"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7651","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7651"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7653","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7653"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7654","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7654"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911266","reference_id":"911266","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911266"},{"reference_url":"https://usn.ubuntu.com/4023-1/","reference_id":"USN-4023-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4023-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/515640?format=json","purl":"pkg:deb/debian/mosquitto@1.4.10-3%2Bdeb9u4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1rn3-3fjm-gfcs"},{"vulnerability":"VCID-2ay2-q2hx-zfb7"},{"vulnerability":"VCID-4e4y-5x63-6ycm"},{"vulnerability":"VCID-54tv-3j1m-kqaf"},{"vulnerability":"VCID-5fj7-92ra-cbgx"},{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-7esp-wwn3-dqah"},{"vulnerability":"VCID-augs-54rz-abcf"},{"vulnerability":"VCID-cdbk-za61-skby"},{"vulnerability":"VCID-ckh9-pyk8-3bgn"},{"vulnerability":"VCID-ddur-xyfp-mfaj"},{"vulnerability":"VCID-dgsa-yzf4-a3hm"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-f5uh-fnmg-8uae"},{"vulnerability":"VCID-g268-53d5-3qbq"},{"vulnerability":"VCID-hk67-xs7f-jfg7"},{"vulnerability":"VCID-kbu7-gwry-bufu"},{"vulnerability":"VCID-p819-s2sz-67ea"},{"vulnerability":"VCID-s1th-yxbn-r3br"},{"vulnerability":"VCID-ucup-r7be-4uhq"},{"vulnerability":"VCID-upah-d5xc-5yhc"},{"vulnerability":"VCID-xndw-wzg3-akdk"},{"vulnerability":"VCID-y7r2-b932-gqhj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@1.4.10-3%252Bdeb9u4"},{"url":"http://public2.vulnerablecode.io/api/packages/516302?format=json","purl":"pkg:deb/debian/mosquitto@1.5.7-1%2Bdeb10u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ay2-q2hx-zfb7"},{"vulnerability":"VCID-4e4y-5x63-6ycm"},{"vulnerability":"VCID-5fj7-92ra-cbgx"},{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-7esp-wwn3-dqah"},{"vulnerability":"VCID-augs-54rz-abcf"},{"vulnerability":"VCID-cdbk-za61-skby"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-g268-53d5-3qbq"},{"vulnerability":"VCID-kbu7-gwry-bufu"},{"vulnerability":"VCID-p819-s2sz-67ea"},{"vulnerability":"VCID-s1th-yxbn-r3br"},{"vulnerability":"VCID-ucup-r7be-4uhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@1.5.7-1%252Bdeb10u1"}],"aliases":["CVE-2017-7653"],"risk_score":1.1,"exploitability":"0.5","weighted_severity":"2.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ckh9-pyk8-3bgn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93444?format=json","vulnerability_id":"VCID-ddur-xyfp-mfaj","summary":"In Eclipse Mosquitto version from 1.0 to 1.4.15, a Null Dereference vulnerability was found in the Mosquitto library which could lead to crashes for those applications using the library.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7655","reference_id":"","reference_type":"","scores":[{"value":"0.0087","scoring_system":"epss","scoring_elements":"0.75542","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0087","scoring_system":"epss","scoring_elements":"0.7557","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0087","scoring_system":"epss","scoring_elements":"0.75573","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0087","scoring_system":"epss","scoring_elements":"0.75563","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0087","scoring_system":"epss","scoring_elements":"0.7555","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0087","scoring_system":"epss","scoring_elements":"0.75575","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7655"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7655","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7655"},{"reference_url":"https://usn.ubuntu.com/USN-4823-1/","reference_id":"USN-USN-4823-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/USN-4823-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516302?format=json","purl":"pkg:deb/debian/mosquitto@1.5.7-1%2Bdeb10u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ay2-q2hx-zfb7"},{"vulnerability":"VCID-4e4y-5x63-6ycm"},{"vulnerability":"VCID-5fj7-92ra-cbgx"},{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-7esp-wwn3-dqah"},{"vulnerability":"VCID-augs-54rz-abcf"},{"vulnerability":"VCID-cdbk-za61-skby"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-g268-53d5-3qbq"},{"vulnerability":"VCID-kbu7-gwry-bufu"},{"vulnerability":"VCID-p819-s2sz-67ea"},{"vulnerability":"VCID-s1th-yxbn-r3br"},{"vulnerability":"VCID-ucup-r7be-4uhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@1.5.7-1%252Bdeb10u1"}],"aliases":["CVE-2017-7655"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ddur-xyfp-mfaj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93443?format=json","vulnerability_id":"VCID-dgsa-yzf4-a3hm","summary":"In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can send crafted CONNECT packets which could cause a denial of service in the Mosquitto Broker.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7654","reference_id":"","reference_type":"","scores":[{"value":"0.01447","scoring_system":"epss","scoring_elements":"0.811","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01447","scoring_system":"epss","scoring_elements":"0.81129","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01447","scoring_system":"epss","scoring_elements":"0.81133","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01447","scoring_system":"epss","scoring_elements":"0.81125","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01447","scoring_system":"epss","scoring_elements":"0.81143","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7654"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7651","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7651"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7653","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7653"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7654","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7654"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911265","reference_id":"911265","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911265"},{"reference_url":"https://usn.ubuntu.com/4023-1/","reference_id":"USN-4023-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4023-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/515640?format=json","purl":"pkg:deb/debian/mosquitto@1.4.10-3%2Bdeb9u4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1rn3-3fjm-gfcs"},{"vulnerability":"VCID-2ay2-q2hx-zfb7"},{"vulnerability":"VCID-4e4y-5x63-6ycm"},{"vulnerability":"VCID-54tv-3j1m-kqaf"},{"vulnerability":"VCID-5fj7-92ra-cbgx"},{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-7esp-wwn3-dqah"},{"vulnerability":"VCID-augs-54rz-abcf"},{"vulnerability":"VCID-cdbk-za61-skby"},{"vulnerability":"VCID-ckh9-pyk8-3bgn"},{"vulnerability":"VCID-ddur-xyfp-mfaj"},{"vulnerability":"VCID-dgsa-yzf4-a3hm"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-f5uh-fnmg-8uae"},{"vulnerability":"VCID-g268-53d5-3qbq"},{"vulnerability":"VCID-hk67-xs7f-jfg7"},{"vulnerability":"VCID-kbu7-gwry-bufu"},{"vulnerability":"VCID-p819-s2sz-67ea"},{"vulnerability":"VCID-s1th-yxbn-r3br"},{"vulnerability":"VCID-ucup-r7be-4uhq"},{"vulnerability":"VCID-upah-d5xc-5yhc"},{"vulnerability":"VCID-xndw-wzg3-akdk"},{"vulnerability":"VCID-y7r2-b932-gqhj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@1.4.10-3%252Bdeb9u4"},{"url":"http://public2.vulnerablecode.io/api/packages/516302?format=json","purl":"pkg:deb/debian/mosquitto@1.5.7-1%2Bdeb10u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ay2-q2hx-zfb7"},{"vulnerability":"VCID-4e4y-5x63-6ycm"},{"vulnerability":"VCID-5fj7-92ra-cbgx"},{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-7esp-wwn3-dqah"},{"vulnerability":"VCID-augs-54rz-abcf"},{"vulnerability":"VCID-cdbk-za61-skby"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-g268-53d5-3qbq"},{"vulnerability":"VCID-kbu7-gwry-bufu"},{"vulnerability":"VCID-p819-s2sz-67ea"},{"vulnerability":"VCID-s1th-yxbn-r3br"},{"vulnerability":"VCID-ucup-r7be-4uhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@1.5.7-1%252Bdeb10u1"}],"aliases":["CVE-2017-7654"],"risk_score":1.9,"exploitability":"0.5","weighted_severity":"3.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dgsa-yzf4-a3hm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93447?format=json","vulnerability_id":"VCID-f5uh-fnmg-8uae","summary":"In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a topic, then has its access to that topic revoked, the retained message will still be published to clients that subscribe to that topic in the future. In some applications this may result in clients being able cause effects that would otherwise not be allowed.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-12546","reference_id":"","reference_type":"","scores":[{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39249","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39338","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39342","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39314","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39286","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39299","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-12546"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12546","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12546"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12550","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12550"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12551","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12551"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921976","reference_id":"921976","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921976"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/515640?format=json","purl":"pkg:deb/debian/mosquitto@1.4.10-3%2Bdeb9u4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1rn3-3fjm-gfcs"},{"vulnerability":"VCID-2ay2-q2hx-zfb7"},{"vulnerability":"VCID-4e4y-5x63-6ycm"},{"vulnerability":"VCID-54tv-3j1m-kqaf"},{"vulnerability":"VCID-5fj7-92ra-cbgx"},{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-7esp-wwn3-dqah"},{"vulnerability":"VCID-augs-54rz-abcf"},{"vulnerability":"VCID-cdbk-za61-skby"},{"vulnerability":"VCID-ckh9-pyk8-3bgn"},{"vulnerability":"VCID-ddur-xyfp-mfaj"},{"vulnerability":"VCID-dgsa-yzf4-a3hm"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-f5uh-fnmg-8uae"},{"vulnerability":"VCID-g268-53d5-3qbq"},{"vulnerability":"VCID-hk67-xs7f-jfg7"},{"vulnerability":"VCID-kbu7-gwry-bufu"},{"vulnerability":"VCID-p819-s2sz-67ea"},{"vulnerability":"VCID-s1th-yxbn-r3br"},{"vulnerability":"VCID-ucup-r7be-4uhq"},{"vulnerability":"VCID-upah-d5xc-5yhc"},{"vulnerability":"VCID-xndw-wzg3-akdk"},{"vulnerability":"VCID-y7r2-b932-gqhj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@1.4.10-3%252Bdeb9u4"},{"url":"http://public2.vulnerablecode.io/api/packages/516302?format=json","purl":"pkg:deb/debian/mosquitto@1.5.7-1%2Bdeb10u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ay2-q2hx-zfb7"},{"vulnerability":"VCID-4e4y-5x63-6ycm"},{"vulnerability":"VCID-5fj7-92ra-cbgx"},{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-7esp-wwn3-dqah"},{"vulnerability":"VCID-augs-54rz-abcf"},{"vulnerability":"VCID-cdbk-za61-skby"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-g268-53d5-3qbq"},{"vulnerability":"VCID-kbu7-gwry-bufu"},{"vulnerability":"VCID-p819-s2sz-67ea"},{"vulnerability":"VCID-s1th-yxbn-r3br"},{"vulnerability":"VCID-ucup-r7be-4uhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@1.5.7-1%252Bdeb10u1"}],"aliases":["CVE-2018-12546"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f5uh-fnmg-8uae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93445?format=json","vulnerability_id":"VCID-hk67-xs7f-jfg7","summary":"In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-9868","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.0756","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07516","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07552","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07503","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07539","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07492","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-9868"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9868","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9868"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865959","reference_id":"865959","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865959"},{"reference_url":"https://security.archlinux.org/ASA-201707-16","reference_id":"ASA-201707-16","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201707-16"},{"reference_url":"https://security.archlinux.org/AVG-353","reference_id":"AVG-353","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-353"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516302?format=json","purl":"pkg:deb/debian/mosquitto@1.5.7-1%2Bdeb10u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ay2-q2hx-zfb7"},{"vulnerability":"VCID-4e4y-5x63-6ycm"},{"vulnerability":"VCID-5fj7-92ra-cbgx"},{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-7esp-wwn3-dqah"},{"vulnerability":"VCID-augs-54rz-abcf"},{"vulnerability":"VCID-cdbk-za61-skby"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-g268-53d5-3qbq"},{"vulnerability":"VCID-kbu7-gwry-bufu"},{"vulnerability":"VCID-p819-s2sz-67ea"},{"vulnerability":"VCID-s1th-yxbn-r3br"},{"vulnerability":"VCID-ucup-r7be-4uhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@1.5.7-1%252Bdeb10u1"}],"aliases":["CVE-2017-9868"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hk67-xs7f-jfg7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93453?format=json","vulnerability_id":"VCID-s1th-yxbn-r3br","summary":"In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11779","reference_id":"","reference_type":"","scores":[{"value":"0.16327","scoring_system":"epss","scoring_elements":"0.94975","published_at":"2026-06-04T12:55:00Z"},{"value":"0.16327","scoring_system":"epss","scoring_elements":"0.94983","published_at":"2026-06-05T12:55:00Z"},{"value":"0.16327","scoring_system":"epss","scoring_elements":"0.94984","published_at":"2026-06-06T12:55:00Z"},{"value":"0.16327","scoring_system":"epss","scoring_elements":"0.94986","published_at":"2026-06-08T12:55:00Z"},{"value":"0.16327","scoring_system":"epss","scoring_elements":"0.94991","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11779"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11779","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11779"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940654","reference_id":"940654","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940654"},{"reference_url":"https://usn.ubuntu.com/4137-1/","reference_id":"USN-4137-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4137-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516302?format=json","purl":"pkg:deb/debian/mosquitto@1.5.7-1%2Bdeb10u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ay2-q2hx-zfb7"},{"vulnerability":"VCID-4e4y-5x63-6ycm"},{"vulnerability":"VCID-5fj7-92ra-cbgx"},{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-7esp-wwn3-dqah"},{"vulnerability":"VCID-augs-54rz-abcf"},{"vulnerability":"VCID-cdbk-za61-skby"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-g268-53d5-3qbq"},{"vulnerability":"VCID-kbu7-gwry-bufu"},{"vulnerability":"VCID-p819-s2sz-67ea"},{"vulnerability":"VCID-s1th-yxbn-r3br"},{"vulnerability":"VCID-ucup-r7be-4uhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@1.5.7-1%252Bdeb10u1"},{"url":"http://public2.vulnerablecode.io/api/packages/196196?format=json","purl":"pkg:deb/debian/mosquitto@2.0.11-1%2Bdeb11u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-fy1a-esbh-57es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@2.0.11-1%252Bdeb11u1"}],"aliases":["CVE-2019-11779"],"risk_score":0.1,"exploitability":"0.5","weighted_severity":"0.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s1th-yxbn-r3br"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93450?format=json","vulnerability_id":"VCID-upah-d5xc-5yhc","summary":"When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-12551","reference_id":"","reference_type":"","scores":[{"value":"0.00597","scoring_system":"epss","scoring_elements":"0.69756","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00597","scoring_system":"epss","scoring_elements":"0.69795","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00597","scoring_system":"epss","scoring_elements":"0.69804","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00597","scoring_system":"epss","scoring_elements":"0.69784","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00597","scoring_system":"epss","scoring_elements":"0.69806","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-12551"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12546","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12546"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12550","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12550"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12551","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12551"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921976","reference_id":"921976","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921976"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/515640?format=json","purl":"pkg:deb/debian/mosquitto@1.4.10-3%2Bdeb9u4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1rn3-3fjm-gfcs"},{"vulnerability":"VCID-2ay2-q2hx-zfb7"},{"vulnerability":"VCID-4e4y-5x63-6ycm"},{"vulnerability":"VCID-54tv-3j1m-kqaf"},{"vulnerability":"VCID-5fj7-92ra-cbgx"},{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-7esp-wwn3-dqah"},{"vulnerability":"VCID-augs-54rz-abcf"},{"vulnerability":"VCID-cdbk-za61-skby"},{"vulnerability":"VCID-ckh9-pyk8-3bgn"},{"vulnerability":"VCID-ddur-xyfp-mfaj"},{"vulnerability":"VCID-dgsa-yzf4-a3hm"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-f5uh-fnmg-8uae"},{"vulnerability":"VCID-g268-53d5-3qbq"},{"vulnerability":"VCID-hk67-xs7f-jfg7"},{"vulnerability":"VCID-kbu7-gwry-bufu"},{"vulnerability":"VCID-p819-s2sz-67ea"},{"vulnerability":"VCID-s1th-yxbn-r3br"},{"vulnerability":"VCID-ucup-r7be-4uhq"},{"vulnerability":"VCID-upah-d5xc-5yhc"},{"vulnerability":"VCID-xndw-wzg3-akdk"},{"vulnerability":"VCID-y7r2-b932-gqhj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@1.4.10-3%252Bdeb9u4"},{"url":"http://public2.vulnerablecode.io/api/packages/516302?format=json","purl":"pkg:deb/debian/mosquitto@1.5.7-1%2Bdeb10u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ay2-q2hx-zfb7"},{"vulnerability":"VCID-4e4y-5x63-6ycm"},{"vulnerability":"VCID-5fj7-92ra-cbgx"},{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-7esp-wwn3-dqah"},{"vulnerability":"VCID-augs-54rz-abcf"},{"vulnerability":"VCID-cdbk-za61-skby"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-g268-53d5-3qbq"},{"vulnerability":"VCID-kbu7-gwry-bufu"},{"vulnerability":"VCID-p819-s2sz-67ea"},{"vulnerability":"VCID-s1th-yxbn-r3br"},{"vulnerability":"VCID-ucup-r7be-4uhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@1.5.7-1%252Bdeb10u1"}],"aliases":["CVE-2018-12551"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-upah-d5xc-5yhc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93438?format=json","vulnerability_id":"VCID-xndw-wzg3-akdk","summary":"In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7651","reference_id":"","reference_type":"","scores":[{"value":"0.23134","scoring_system":"epss","scoring_elements":"0.96032","published_at":"2026-06-04T12:55:00Z"},{"value":"0.23134","scoring_system":"epss","scoring_elements":"0.96036","published_at":"2026-06-05T12:55:00Z"},{"value":"0.23134","scoring_system":"epss","scoring_elements":"0.96039","published_at":"2026-06-06T12:55:00Z"},{"value":"0.23134","scoring_system":"epss","scoring_elements":"0.96041","published_at":"2026-06-08T12:55:00Z"},{"value":"0.23134","scoring_system":"epss","scoring_elements":"0.96046","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7651"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7651","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7651"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7653","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7653"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7654","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7654"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/515640?format=json","purl":"pkg:deb/debian/mosquitto@1.4.10-3%2Bdeb9u4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1rn3-3fjm-gfcs"},{"vulnerability":"VCID-2ay2-q2hx-zfb7"},{"vulnerability":"VCID-4e4y-5x63-6ycm"},{"vulnerability":"VCID-54tv-3j1m-kqaf"},{"vulnerability":"VCID-5fj7-92ra-cbgx"},{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-7esp-wwn3-dqah"},{"vulnerability":"VCID-augs-54rz-abcf"},{"vulnerability":"VCID-cdbk-za61-skby"},{"vulnerability":"VCID-ckh9-pyk8-3bgn"},{"vulnerability":"VCID-ddur-xyfp-mfaj"},{"vulnerability":"VCID-dgsa-yzf4-a3hm"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-f5uh-fnmg-8uae"},{"vulnerability":"VCID-g268-53d5-3qbq"},{"vulnerability":"VCID-hk67-xs7f-jfg7"},{"vulnerability":"VCID-kbu7-gwry-bufu"},{"vulnerability":"VCID-p819-s2sz-67ea"},{"vulnerability":"VCID-s1th-yxbn-r3br"},{"vulnerability":"VCID-ucup-r7be-4uhq"},{"vulnerability":"VCID-upah-d5xc-5yhc"},{"vulnerability":"VCID-xndw-wzg3-akdk"},{"vulnerability":"VCID-y7r2-b932-gqhj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@1.4.10-3%252Bdeb9u4"},{"url":"http://public2.vulnerablecode.io/api/packages/516302?format=json","purl":"pkg:deb/debian/mosquitto@1.5.7-1%2Bdeb10u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ay2-q2hx-zfb7"},{"vulnerability":"VCID-4e4y-5x63-6ycm"},{"vulnerability":"VCID-5fj7-92ra-cbgx"},{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-7esp-wwn3-dqah"},{"vulnerability":"VCID-augs-54rz-abcf"},{"vulnerability":"VCID-cdbk-za61-skby"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-g268-53d5-3qbq"},{"vulnerability":"VCID-kbu7-gwry-bufu"},{"vulnerability":"VCID-p819-s2sz-67ea"},{"vulnerability":"VCID-s1th-yxbn-r3br"},{"vulnerability":"VCID-ucup-r7be-4uhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@1.5.7-1%252Bdeb10u1"}],"aliases":["CVE-2017-7651"],"risk_score":0.1,"exploitability":"0.5","weighted_severity":"0.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xndw-wzg3-akdk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93440?format=json","vulnerability_id":"VCID-y7r2-b932-gqhj","summary":"In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7652","reference_id":"","reference_type":"","scores":[{"value":"0.01004","scoring_system":"epss","scoring_elements":"0.77376","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01004","scoring_system":"epss","scoring_elements":"0.77403","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01004","scoring_system":"epss","scoring_elements":"0.77413","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01004","scoring_system":"epss","scoring_elements":"0.77394","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01004","scoring_system":"epss","scoring_elements":"0.77415","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7652"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7651","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7651"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7653","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7653"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7654","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7654"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/515640?format=json","purl":"pkg:deb/debian/mosquitto@1.4.10-3%2Bdeb9u4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1rn3-3fjm-gfcs"},{"vulnerability":"VCID-2ay2-q2hx-zfb7"},{"vulnerability":"VCID-4e4y-5x63-6ycm"},{"vulnerability":"VCID-54tv-3j1m-kqaf"},{"vulnerability":"VCID-5fj7-92ra-cbgx"},{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-7esp-wwn3-dqah"},{"vulnerability":"VCID-augs-54rz-abcf"},{"vulnerability":"VCID-cdbk-za61-skby"},{"vulnerability":"VCID-ckh9-pyk8-3bgn"},{"vulnerability":"VCID-ddur-xyfp-mfaj"},{"vulnerability":"VCID-dgsa-yzf4-a3hm"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-f5uh-fnmg-8uae"},{"vulnerability":"VCID-g268-53d5-3qbq"},{"vulnerability":"VCID-hk67-xs7f-jfg7"},{"vulnerability":"VCID-kbu7-gwry-bufu"},{"vulnerability":"VCID-p819-s2sz-67ea"},{"vulnerability":"VCID-s1th-yxbn-r3br"},{"vulnerability":"VCID-ucup-r7be-4uhq"},{"vulnerability":"VCID-upah-d5xc-5yhc"},{"vulnerability":"VCID-xndw-wzg3-akdk"},{"vulnerability":"VCID-y7r2-b932-gqhj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@1.4.10-3%252Bdeb9u4"},{"url":"http://public2.vulnerablecode.io/api/packages/516302?format=json","purl":"pkg:deb/debian/mosquitto@1.5.7-1%2Bdeb10u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ay2-q2hx-zfb7"},{"vulnerability":"VCID-4e4y-5x63-6ycm"},{"vulnerability":"VCID-5fj7-92ra-cbgx"},{"vulnerability":"VCID-7dtb-hmj1-3yev"},{"vulnerability":"VCID-7esp-wwn3-dqah"},{"vulnerability":"VCID-augs-54rz-abcf"},{"vulnerability":"VCID-cdbk-za61-skby"},{"vulnerability":"VCID-ey4s-txkt-wbe7"},{"vulnerability":"VCID-g268-53d5-3qbq"},{"vulnerability":"VCID-kbu7-gwry-bufu"},{"vulnerability":"VCID-p819-s2sz-67ea"},{"vulnerability":"VCID-s1th-yxbn-r3br"},{"vulnerability":"VCID-ucup-r7be-4uhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@1.5.7-1%252Bdeb10u1"}],"aliases":["CVE-2017-7652"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y7r2-b932-gqhj"}],"risk_score":"3.4","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mosquitto@1.5.7-1%252Bdeb10u1"}