Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web Console.

The browse page in the web console renders a message Id directly without sanitization. This allows an authenticated producer to send a message with a JMS message ID that has been crafted to contain HTML/JavaScript such that when an administrator browses the queue in the Web Console, the payload executes in their browser.
This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Web Console: before 5.19.8, from 6.0.0 before 6.2.7.

Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
Published: 2026-06-30
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw occurs because the ActiveMQ Web Console displays a message ID directly without sanitization. An authenticated producer can send a message whose JMS message ID contains crafted HTML or JavaScript. When an administrator browses the queue in the Web Console, the malicious payload is executed in the administrator’s browser. This stored cross‑site scripting flaw, classified as CWE‑79, can enable an attacker to hijack the administrative session, exfiltrate credentials, or perform arbitrary actions on behalf of the administrator.

Affected Systems

Apache ActiveMQ versions prior to 5.19.8 and prior to 6.2.7 (from 6.0.0 to 6.2.6) are affected, as are the corresponding ActiveMQ Web Console components in those same version ranges. No additional product details are provided.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate to high risk level, and EPSS data is unavailable, indicating limited publicly known exploitation data. The vulnerability is not listed in the CISA KEV catalog and no remote exploitation has been reported. Exploitation requires an authenticated producer who can craft a message ID, so the risk is high where producer credentials are exposed or not strictly controlled. Organizations should evaluate their producer access controls and the exposure of the Web Console to trusted administrators only.

Generated by OpenCVE AI on June 30, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache ActiveMQ to version 5.19.8 or later and Apache ActiveMQ Web Console to version 6.2.7 or later.
  • Disable the Web Console for all users except trusted administrators to limit exposure.
  • Implement strict validation of JMS message IDs in custom applications to strip or escape any characters that could be interpreted as HTML or JavaScript.
  • Consider setting up a monitored authentication process for message producers to prevent injection of malformed message IDs.

Generated by OpenCVE AI on June 30, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web Console. The browse page in the web console renders a message Id directly without sanitization. This allows an authenticated producer to send a message with a JMS message ID that has been crafted to contain HTML/JavaScript such that when an administrator browses the queue in the Web Console, the payload executes in their browser. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Web Console: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
Title Apache ActiveMQ, Apache ActiveMQ Web Console: Stored XSS via Unescaped values in ActiveMQ Web Console
Weaknesses CWE-79
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-30T15:58:39.098Z

Reserved: 2026-06-08T15:39:32.251Z

Link: CVE-2026-52760

cve-icon Vulnrichment

Updated: 2026-06-30T11:06:19.413Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T17:45:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')