Name: Apache JMeter
Author: JetBrains

Apache JMeter — Known Vulnerabilities

14 vulnerabilities mapped against this product across all versions. Grouped by the release each fix landed in — newest tracked release v5.6.3.

Fixed in v5.x 12

CVE-2021-21345 Fixed in 5.5 CVSS 9.9 · Critical NVD ↗ Mar 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host…

CVE-2021-21347 Fixed in 5.5 CVSS 9.8 · Critical NVD ↗ Mar 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host…

CVE-2021-21350 Fixed in 5.5 CVSS 9.8 · Critical NVD ↗ Mar 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input…

CVE-2021-21344 Fixed in 5.5 CVSS 9.8 · Critical NVD ↗ Mar 23, 2021

CVE-2021-21346 Fixed in 5.5 CVSS 9.8 · Critical NVD ↗ Mar 23, 2021

CVE-2019-0187 Affects 4.0–5.0 CVSS 9.8 · Critical NVD ↗ Mar 6, 2019

Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This…

CVE-2021-21351 Fixed in 5.5 CVSS 9.1 · Critical NVD ↗ Mar 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only…

CVE-2021-21342 Fixed in 5.5 CVSS 9.1 · Critical NVD ↗ Mar 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects.…

CVE-2021-21349 Fixed in 5.5 CVSS 8.6 · High NVD ↗ Mar 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly…

CVE-2021-21348 Fixed in 5.5 CVSS 7.5 · High NVD ↗ Mar 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and…

CVE-2021-21341 Fixed in 5.5 CVSS 7.5 · High NVD ↗ Mar 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on…

CVE-2021-21343 Fixed in 5.5 CVSS 7.5 · High NVD ↗ Mar 23, 2021

Fixed in v3.x 2

CVE-2018-1287 Affects 2.1–3.3 CVSS 9.8 · Critical NVD ↗ Feb 14, 2018

In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

CVE-2018-1297 Affects 2.1–3.3 CVSS 9.8 · Critical NVD ↗ Feb 13, 2018

When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

Source: NVD · CISA KEV · data as of Jun 8, 2026

Apache JMeter — Known Vulnerabilities

Explore

Account