Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.

An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by injecting HTML into a JMS selector field.

This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5.

Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.
Published: 2026-04-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

Apache ActiveMQ and ActiveMQ Web have a Basic XSS flaw (CWE-79) that allows an attacker who can authenticate to the administrative web console to inject malicious HTML into a JMS selector field. When the attacker forces the web console to deliver a queue browsing page as HTML instead of XML, the injected code is rendered and executed by the victim’s browser. This can lead to session hijacking, credential theft, or other client‑side attacks.

Affected Systems

The vulnerability is present in Apache ActiveMQ releases prior to version 5.19.6 and any 6.x releases before 6.2.5, and in Apache ActiveMQ Web with the same version ranges. Upgrades to version 5.19.6 or 6.2.5 and later eliminate the flaw.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score is below 1 percent, suggesting that exploitation likelihood is low, and the vulnerability is not part of the CISA Known Exploited Vulnerabilities catalog. The attack path requires authentication to the web console; once authenticated, the attacker can exploit the flaw via a browser session that loads the manipulated queue page.

Generated by OpenCVE AI on April 28, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache ActiveMQ and ActiveMQ Web to version 5.19.6 or 6.2.5 or later, which contains the fix for the XSS flaw.
  • Restrict access to the ActiveMQ Web console to trusted administrators only, and enforce strong authentication and least privilege to limit the potential impact.
  • Validate and sanitize the content of JMS selector fields to ensure no injected script tags are passed to the browser when displaying queue browsing pages.

Generated by OpenCVE AI on April 28, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2jp3-2923-9h52 Apache ActiveMQ Vulnerable to Cross-site Scripting
History

Wed, 29 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache activemq
Apache activemq Web
CPEs cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq_web:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache activemq
Apache activemq Web

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Fri, 24 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by injecting HTML into a JMS selector field. This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.
Title Apache ActiveMQ, Apache ActiveMQ Web: ActiveMQ Web Console - XSS vulnerability when browsing queues
Weaknesses CWE-79
CWE-915
References

Subscriptions

Apache Activemq Activemq Web
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-24T18:17:14.457Z

Reserved: 2026-04-16T12:48:51.234Z

Link: CVE-2026-41043

cve-icon Vulnrichment

Updated: 2026-04-24T10:35:42.077Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T11:16:22.670

Modified: 2026-04-27T14:49:24.927

Link: CVE-2026-41043

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T10:16:23Z

Links: CVE-2026-41043 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:30:06Z

Weaknesses