Cross-site Scripting Vulnerability in Apache ActiveMQ and Web Console
CVE-2026-52760

Currently unrated

Key Information:

Vendor: Apache
Status: Apache ActiveMQ; Apache ActiveMQ Web Console
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-52760?

The Apache ActiveMQ and its Web Console are susceptible to a Cross-site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation. This flaw arises when an authenticated producer is able to send a crafted JMS message containing HTML/JavaScript in the message ID. When an administrator views the corresponding message in the Web Console, the malicious payload executes within their browser context, potentially leading to unauthorized actions or data exposure. Users are advised to upgrade to Apache ActiveMQ version 6.2.7 or 5.19.8 to mitigate this risk.

Affected Version(s)

Apache ActiveMQ 0 < 5.19.8

Apache ActiveMQ 6.0.0 < 6.2.7

Apache ActiveMQ Web Console 0 < 5.19.8

References

https://lists.apache.org/thread/d3mhyo2116nomz2lwxppyy4pc...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 8, 2026

Credit

Biswajeet Ray

CVE-2026-52760 Data

JSON