mumble CVE Vulnerabilities & Metrics

Focus on mumble vulnerabilities and metrics.

Last updated: 16 Apr 2026, 22:25 UTC

About mumble Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with mumble. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total mumble CVEs: 5
Earliest CVE date: 30 Apr 2012, 14:55 UTC
Latest CVE date: 16 Mar 2026, 14:18 UTC

Latest CVE reference: CVE-2025-71264

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical mumble CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.11

Max CVSS: 6.8

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	2
4.0-6.9	6
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS mumble CVEs

These are the five CVEs with the highest CVSS scores for mumble, sorted by severity first and recency.

CVE-2021-27229 mumble Published on 16 Feb 2021, 04:15 UTC (CVSS: 6.8)
Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.
CVE-2020-13962 mumble Published on 09 Jun 2020, 00:15 UTC (CVSS: 5.0)
Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)
CVE-2018-20743 mumble Published on 25 Jan 2019, 16:29 UTC (CVSS: 5.0)
murmur in Mumble through 1.2.19 before 2018-08-31 mishandles multiple concurrent requests that are persisted in the database, which allows remote attackers to cause a denial of service (daemon hang or crash) via a message flood.
CVE-2014-3756 mumble Published on 16 Nov 2014, 11:59 UTC (CVSS: 5.0)
The client in Mumble 1.2.x before 1.2.6 allows remote attackers to force the loading of an external file and cause a denial of service (hang and resource consumption) via a crafted string that is treated as rich-text by a Qt widget, as demonstrated by the (1) user or (2) channel name in a Qt dialog, (3) subject common name or (4) email address to the Certificate Wizard, or (5) server name in a tooltip.
CVE-2014-3755 mumble Published on 16 Nov 2014, 11:59 UTC (CVSS: 5.0)
The QSvg module in Qt, as used in the Mumble client 1.2.x before 1.2.6, allows remote attackers to cause a denial of service (hang and resource consumption) via a local file reference in an (1) image tag or (2) XML stylesheet in an SVG file.

All CVEs for mumble

CVE-2025-71264 mumble vulnerability CVSS: 0 16 Mar 2026, 14:18 UTC

Mumble before 1.6.870 is prone to an out-of-bounds array access, which may result in denial of service (client crash).

CVE-2021-27229 mumble vulnerability CVSS: 6.8 16 Feb 2021, 04:15 UTC

Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.

CVE-2020-13962 mumble vulnerability CVSS: 5.0 09 Jun 2020, 00:15 UTC

Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)

CVE-2010-2490 mumble vulnerability CVSS: 4.0 31 Oct 2019, 16:15 UTC

Mumble: murmur-server has DoS due to malformed client query

CVE-2018-20743 mumble vulnerability CVSS: 5.0 25 Jan 2019, 16:29 UTC

murmur in Mumble through 1.2.19 before 2018-08-31 mishandles multiple concurrent requests that are persisted in the database, which allows remote attackers to cause a denial of service (daemon hang or crash) via a message flood.

CVE-2014-3756 mumble vulnerability CVSS: 5.0 16 Nov 2014, 11:59 UTC

The client in Mumble 1.2.x before 1.2.6 allows remote attackers to force the loading of an external file and cause a denial of service (hang and resource consumption) via a crafted string that is treated as rich-text by a Qt widget, as demonstrated by the (1) user or (2) channel name in a Qt dialog, (3) subject common name or (4) email address to the Certificate Wizard, or (5) server name in a tooltip.

CVE-2014-3755 mumble vulnerability CVSS: 5.0 16 Nov 2014, 11:59 UTC

The QSvg module in Qt, as used in the Mumble client 1.2.x before 1.2.6, allows remote attackers to cause a denial of service (hang and resource consumption) via a local file reference in an (1) image tag or (2) XML stylesheet in an SVG file.

CVE-2012-0863 mumble vulnerability CVSS: 2.1 30 Apr 2012, 14:55 UTC

Mumble 1.2.3 and earlier uses world-readable permissions for .local/share/data/Mumble/.mumble.sqlite files in home directories, which might allow local users to obtain a cleartext password and configuration data by reading a file.