45 CVEs

1 in CISA KEV

igniterealtime Vulnerabilities

CVE security advisories and vulnerability history for igniterealtime.

45

Total CVEs

Published

1

In CISA KEV

Exploited in the wild

19

Public exploits

With known exploit

7.8

Avg CVSS

2009–2026

Overview

igniterealtime has 45 published CVE records since 2009, of which 1 are in CISA's Known Exploited Vulnerabilities catalog and 19 have a known public exploit. The average CVSS base score across scored CVEs is 7.8.

This page aggregates every publicly disclosed vulnerability (CVE) affecting igniterealtime products, with severity breakdowns, the most-affected products, the most common weakness types, and the latest disclosures.

Severity and exploitation

How the CVSS severity of igniterealtime's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical2

High2

Medium2

Low0

39 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

1

One of igniterealtime's CVEs is confirmed exploited in the wild.

Public exploits

19

19 of igniterealtime's CVEs have a known public exploit available.

Most affected products

The igniterealtime products with the most published CVEs.

openfire39 CVEs
org.igniterealtime.openfire:parent10 CVEs
org.igniterealtime.openfire:xmppserver6 CVEs
smack3 CVEs
org.igniterealtime.smack:smack-core1 CVEs
smack api1 CVEs
spark1 CVEs
user import export1 CVEs

Common weakness types

The CWE weakness categories most often found in igniterealtime CVEs. Follow any weakness for its full explanation.

CNAs that assign these CVEs

The CVE Numbering Authorities that publish igniterealtime CVE records.

Disclosure activity by year

How many igniterealtime CVEs were published each year.

2018

2

2019

3

2020

17

2022

1

2023

1

2024

2

2025

1

2026

1

Latest igniterealtime CVEs

The most recently disclosed vulnerabilities affecting igniterealtime.

Openfire 4.6.0 - 'path' Stored XSS
CWE-79
Medium · CVSS 6.4
EPSS 0.0%2026-01-26
Openfire allows potential identity spoofing via unsafe CN parsing
CWE-290
Medium · CVSS 5.9
EPSS 0.0%2025-09-15
Critical vulnerability · 2024-03-26
CWE-250
Critical · CVSS 9.8
EPSS 2.6%2024-03-26
High vulnerability · 2024-03-26
CWE-273
High · CVSS 7.2
EPSS 1.6%2024-03-26
Openfire administration console authentication bypass
CISA KEV
CWE-22
Critical · CVSS 9.3
EPSS 94.4%2023-05-26
Vulnerability vulnerability · 2022-03-18
Unscored
EPSS 92.6%2022-03-18
Vulnerability vulnerability · 2020-12-12
Unscored
EPSS 0.3%2020-12-12
Vulnerability vulnerability · 2020-12-12
Unscored
EPSS 0.8%2020-12-12
Vulnerability vulnerability · 2020-12-12
Unscored
EPSS 0.3%2020-12-12
Vulnerability vulnerability · 2020-12-12
Unscored
EPSS 0.3%2020-12-12
Vulnerability vulnerability · 2020-12-11
Unscored
EPSS 0.3%2020-12-11
Vulnerability vulnerability · 2020-09-02
Unscored
EPSS 0.6%2020-09-02

Track new igniterealtime CVEs as they are disclosed and get AI-written analysis and remediation guidance.

Monitor igniterealtime CVEs

Other vendors

Browse vulnerabilities for other tracked vendors.

microsoft24,097 CVEs Linux19,131 CVEs google14,281 CVEs apple14,019 CVEs oracle10,440 CVEs debian10,201 CVEs IBM8,265 CVEs Adobe7,222 CVEs

Browse all vendors

Frequently asked questions

Common questions about igniterealtime vulnerabilities.

How many CVEs does igniterealtime have?

igniterealtime has 45 published CVE records since 2009, including 2 in the last two years.

How many igniterealtime CVEs are in CISA KEV?

Yes — 1 of igniterealtime's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.

Which igniterealtime products have the most CVEs?

The igniterealtime products with the most published CVEs are openfire, org.igniterealtime.openfire:parent, org.igniterealtime.openfire:xmppserver, smack, org.igniterealtime.smack:smack-core.

What are the most common weakness types in igniterealtime CVEs?

igniterealtime's CVEs most often map to these CWE weakness types: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')), CWE-250 (Execution with Unnecessary Privileges), CWE-273 (Improper Check for Dropped Privileges), CWE-290 (Authentication Bypass by Spoofing).

Are there public exploits for igniterealtime vulnerabilities?

Yes — 19 of igniterealtime's CVEs have a known public exploit.

How many critical igniterealtime vulnerabilities are there?

igniterealtime has 2 critical and 2 high-severity CVEs.

What is the average severity of igniterealtime CVEs?

The average CVSS base score across igniterealtime's scored CVEs is 7.8.

References

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track igniterealtime vulnerabilities

Monitor new igniterealtime vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing