Mule Runtime - 5 CVEs (Page 1/1)

About “Mule Runtime”

A curated feed of “Mule Runtime”-related CVEs appears below. We currently track 5 CVEs for this tag (all time). In the last 365 days, 0 were published. Average CVSS is 8.9 (all time), and 100% are rated High/Critical (all time). Top CWEs (all time): CWE-611 - Improper Restriction of XML External Entity Reference, CWE-918 - Server-Side Request Forgery (SSRF), CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

In our taxonomy this topic maps to a LOW impact class. Integration platforms and ESBs bridge systems. Patch runtimes and connectors, restrict admin consoles, validate signer keys, and monitor flows. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: mulesoft-runtime

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

Cycle	Release	Latest	Premier Support	EOL	LTS
4.11	2026-02-28	4.11.2	2026-07-31	2026-10-31 Soon
4.10	2025-10-31	4.10.5	2026-03-31	2026-06-30 Soon
4.9-lts	2025-02-28	4.9.16	2027-08-31	2028-02-29	LTS
4.9	2025-02-28	4.9.16	2025-11-30	2026-02-28 Expired
4.8	2024-10-31	4.8.6	2025-03-31	2025-06-30 Expired
4.7	2024-06-30	4.7.4	2024-10-31	2025-02-28 Expired
4.6-lts	2024-02-29	4.6.22	2026-08-31	2027-02-28
4.6	2024-02-29	4.6.22	2024-06-30	2024-10-31 Expired
4.5	2023-10-31	4.5.3	2024-02-29	2024-06-30 Expired
4.4	2021-09-07	4.4.0-20250919	2024-10-08	2025-10-08 Expired
4.3	2020-04-30	4.3.0-20240424	2023-03-07	2025-03-07 Expired
4.2	2019-05-02	4.2.2-20221027	2021-05-02	2023-05-02 Expired
4.1	2018-03-20	4.1.6-20240112	2020-11-02	2022-11-02 Expired
3.9	2017-10-09	3.9.5-20240122	2021-03-20	2024-03-20 Expired	LTS
3.8	2016-05-16	3.8.7	2018-11-16	2021-11-16 Expired	LTS

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS · RSS (expired) · ICS

Subscribe CVEs: RSS for “Mule Runtime” · RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0

2021-08-05

High

CVE-2021-1630

XML external entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect CloudHub, GovCloud, Runtime Fabric, Pivotal Cloud Foundry, Private Cloud Edition, and on…

CVSS: 7.5 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD

2021-03-26

Critical

CVE-2021-1628

MuleSoft is aware of a XML External Entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Affected versions: Mule 4…

CVSS: 9.8 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD

Critical

CVE-2021-1627

MuleSoft is aware of a Server Side Request Forgery vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. This affects: Mule 3.8.…

CVSS: 9.8 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD

Critical

CVE-2021-1626

MuleSoft is aware of a Remote Code Execution vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Versions affected: Mule 4.1.x…

CVSS: 9.8 CWE: N/A View on NVD

2019-08-30

High

CVE-2019-15630

Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD