Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5Blast Radius
ecosystem impact- 4 maven packages depend on org.apache.activemq:activemq-web (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 6.0.0.
DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.
The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This can allow overwriting and injecting security headers by setting them on JMS messages that are returned by the servlet.
This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ Web: before 5.19.7, from 6.0.0 before 6.2.6.
Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue. The MessageServlet has now been deprecated and disabled by default.
AnalysisAI
HTTP response header injection in Apache ActiveMQ's web console MessageServlet exposes users to security header override and cross-site scripting attacks. The servlet copies every JMS message property directly into HTTP response headers without sanitization, meaning an attacker who can publish crafted JMS messages to a broker queue can override headers such as Content-Security-Policy or X-Frame-Options when a web console user views those messages. No public exploit has been identified at time of analysis, and EPSS of 0.03% (9th percentile) reflects low observed exploitation probability, though the no-privilege-required CVSS vector and Scope:Changed score signal meaningful impact on browser security posture if exploited.
Technical ContextAI
Apache ActiveMQ's built-in web console exposes a MessageServlet that allows users to browse JMS messages stored in queues and topics. The vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) occurs because this servlet reflects JMS message properties - arbitrary key-value metadata attached to messages - directly into HTTP response headers with no input validation or encoding. This is effectively an HTTP Response Header Injection issue classified under the XSS umbrella: injected headers can suppress or overwrite security directives like Content-Security-Policy, X-Frame-Options, or Strict-Transport-Security, degrading the browser's security posture for the victim's session. Affected CPE ranges cover Apache ActiveMQ and Apache ActiveMQ Web prior to 5.19.7, and from 6.0.0 through versions before 6.2.6. The CVSS Scope:Changed (S:C) reflects that the impact escapes the application boundary and affects the victim's browser context.
RemediationAI
Upgrade Apache ActiveMQ and Apache ActiveMQ Web to version 5.19.7 (for the 5.x branch) or 6.2.6 (for the 6.x branch), both confirmed as patched releases per vendor advisory at https://lists.apache.org/thread/j9vmlc410ht5f28fc98gx75jcbq62j00. In the patched versions, the MessageServlet has been deprecated and disabled by default, eliminating the vulnerable code path entirely. For deployments where immediate upgrade is not feasible, manually disabling or restricting access to the MessageServlet endpoint is the most effective compensating control - note that this will remove the ability to browse JMS messages from the web console. Additionally, restricting network access to the ActiveMQ web console to trusted internal networks or VPN reduces the attacker's ability to leverage injected headers against console users. Enforcing strong broker-level authentication for JMS producers limits who can plant malicious message properties, addressing the upstream condition for exploitation.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33578
GHSA-8wm6-6fqh-phmc