Skip to main content

Apache ActiveMQ CVE-2026-41043

| EUVDEUVD-2026-25411 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-24 apache GHSA-2jp3-2923-9h52
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Red Hat
4.6 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

7
Patch released
Apr 27, 2026 - 14:49 nvd
Patch available
Analysis Generated
Apr 24, 2026 - 21:30 vuln.today
CVSS changed
Apr 24, 2026 - 19:22 NVD
6.5 (None) 6.5 (MEDIUM)
Patch available
Apr 24, 2026 - 12:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 10:30 euvd
EUVD-2026-25411
Analysis Generated
Apr 24, 2026 - 10:30 vuln.today
CVE Published
Apr 24, 2026 - 10:16 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 maven packages depend on org.apache.activemq:activemq-all (3 direct, 3 indirect)
  • 21 maven packages depend on org.apache.activemq:activemq-broker (14 direct, 7 indirect)

Ecosystem-wide dependent count for version 6.0.0 and other introduced versions.

DescriptionCVE.org

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.

An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by injecting HTML into a JMS selector field.

This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5.

Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.

AnalysisAI

Stored XSS in Apache ActiveMQ and Apache ActiveMQ Web allows authenticated attackers to inject malicious HTML into JMS selector fields, which displays when other users browse queues in the web console. Affects ActiveMQ versions before 5.19.6 and 6.0.0 through 6.2.4; ActiveMQ Web before 5.19.6 and 6.0.0 through 6.2.4. The vulnerability requires valid authentication but no user interaction beyond normal queue browsing, and EPSS indicates very low exploitation probability (0.02%) despite the accessible attack vector.

Technical ContextAI

Apache ActiveMQ is a message broker that includes a web console for queue management. The vulnerability exists in the JMS selector field handling within the web UI, where the application fails to properly neutralize HTML markup when rendering queue content. Instead of sanitizing or encoding user-supplied input in the JMS selector field, the web console permits an authenticated user to override the content type header from XML to HTML, causing injected HTML tags to be interpreted as executable markup rather than data. This is a classic reflected/stored XSS vulnerability (CWE-79) where the application trusts the content-type negotiation mechanism without validating the actual payload content. The vulnerability spans across both the core ActiveMQ product and the dedicated ActiveMQ Web component across major version lines (5.x and 6.x).

RemediationAI

Upgrade Apache ActiveMQ to version 5.19.6 or 6.2.5 or later, which includes input sanitization for JMS selector fields. For ActiveMQ Web, apply the same version upgrades. If immediate patching is not possible, implement access controls to restrict web console authentication to trusted administrators only, verify that Content-Type handling is enforced server-side to reject HTML payloads in JMS selectors, and consider deploying a reverse proxy with request filtering to block HTML tags in selector parameters. Note that these compensating controls do not eliminate the vulnerability but reduce exposure by limiting who can exploit it and by blocking the most obvious attack vectors.

Vendor StatusVendor

Share

CVE-2026-41043 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy