CVE-2026-41043

Summary

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.

An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by injecting HTML into a JMS selector field.

This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5.

Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache ActiveMQ0 < 5.19.6affected
Apache Software FoundationApache ActiveMQ6.0.0 < 6.2.5affected
Apache Software FoundationApache ActiveMQ Web0 < 5.19.6affected
Apache Software FoundationApache ActiveMQ Web6.0.0 < 6.2.5affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-915: CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References