Apache ActiveMQ Vulnerable to Cross-site Scripting

GHSA-2jp3-2923-9h52 · BIT-activemq-2026-41043 · CVE-2026-41043

Published Apr 24, 2026 · Modified May 14, 2026

Description

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.

An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by injecting HTML into a JMS selector field.

This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5.

Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.

References

6.5 / 10

MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected Packages

Maven/org.apache.activemq:activemq-all

Fix 5.19.6, 6.2.5

Introduced 0, 6.0.0

106 affected versions

4.1.25.0.05.1.05.10.05.10.15.10.25.11.05.11.15.11.25.11.35.11.45.12.05.12.15.12.25.12.35.13.05.13.15.13.25.13.35.13.4 +86 more

Maven/org.apache.activemq:activemq-broker

Fix 5.19.6, 6.2.5

Introduced 0, 6.0.0

91 affected versions

5.10.05.10.15.10.25.11.05.11.15.11.25.11.35.11.45.12.05.12.15.12.25.12.35.13.05.13.15.13.25.13.35.13.45.13.55.14.05.14.1 +71 more

Maven/org.apache.activemq:apache-activemq

Fix 5.19.6, 6.2.5

Introduced 0, 6.0.0

107 affected versions

4.1.14.1.25.0.05.1.05.10.05.10.15.10.25.11.05.11.15.11.25.11.35.11.45.12.05.12.15.12.25.12.35.13.05.13.15.13.25.13.3 +87 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes