Skip to main content

Apache ActiveMQ EUVDEUVD-2026-40279

| CVE-2026-52760 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
6.1
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Producer authentication requires PR:L; admin must browse queue so UI:R; XSS executes in admin browser changing scope S:C with limited session-level C and I impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Severity Changed
Jun 30, 2026 - 17:22 NVD
HIGH MEDIUM
CVSS changed
Jun 30, 2026 - 17:22 NVD
6.1 (HIGH) 6.1 (MEDIUM)
Patch available
Jun 30, 2026 - 12:01 EUVD
Analysis Generated
Jun 29, 2026 - 22:18 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Stored cross-site scripting in Apache ActiveMQ Web Console allows an authenticated message producer to inject malicious JavaScript via a crafted JMS message ID, which executes in the browser of any administrator who browses the affected queue. The browse page renders message IDs without HTML sanitization, enabling privilege escalation from producer to administrator via session hijacking or credential theft. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain producer credentials
Delivery
Connect to ActiveMQ broker
Exploit
Craft JMS message with malicious script ID
Install
Publish message to target queue
C2
Wait for admin to browse queue in Web Console
Execute
Execute JavaScript in admin browser
Impact
Steal session token or perform admin actions

Vulnerability AssessmentAI

Exploitation The attacker must hold authenticated credentials as a JMS message producer with write access to at least one queue on the target broker - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector was published by NVD at time of analysis, so all metric assessments are independently derived from the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with valid message-producer credentials connects to the ActiveMQ broker and publishes a message whose JMS message ID is set to a value containing an HTML script tag with JavaScript (e.g., a session-stealing payload targeting document.cookie). The malicious message ID is stored in the broker. …
Remediation Upgrade to Apache ActiveMQ 6.2.7 (for 6.x deployments) or 5.19.8 (for 5.x deployments), both released June 29, 2026 and confirmed as the official fixes by the Apache advisory at https://activemq.apache.org/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all ActiveMQ Web Console instances; audit and list all message producer accounts with active credentials. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40279 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy