Cross-site Scripting Vulnerability in Apache ActiveMQ and Apache ActiveMQ Web
CVE-2026-42253

Currently unrated

Key Information:

Vendor

Apache
Status
Apache ActiveMQ
Apache ActiveMQ Web
Vendor
CVE Published:
1 June 2026

What is CVE-2026-42253?

The Apache ActiveMQ and ActiveMQ Web services are impacted by a Cross-site Scripting (XSS) vulnerability due to improper handling of user input in the MessageServlet. This vulnerability occurs because the servlet copies JMS message properties directly into HTTP response headers without any validation or sanitization. Attackers can exploit this flaw by injecting malicious content into these message properties, potentially compromising the integrity of the server's HTTP response. It is advised for users to update to the latest versions of ActiveMQ and ActiveMQ Web where the MessageServlet has not only been updated but also deprecated and disabled by default to enhance security.

Affected Version(s)

Apache ActiveMQ 0 < 5.19.7

Apache ActiveMQ 6.0.0 < 6.2.6

Apache ActiveMQ Web 0 < 5.19.7

References

https://lists.apache.org/thread/j9vmlc410ht5f28fc98gx75jc...
vendor-advisory

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Vishal Shukla
pyn3rd
uname
4ra1n
.