Home

Description

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by injecting HTML into a JMS selector field. This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.

PUBLISHED Reserved 2026-04-16 | Published 2026-04-24 | Updated 2026-04-24 | Assigner apache

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes

Product status

Default status
unaffected

Any version before 5.19.6
affected

6.0.0 (semver) before 6.2.5
affected

Default status
unaffected

Any version before 5.19.6
affected

6.0.0 (semver) before 6.2.5
affected

Credits

Khaled Alshammri finder

References

www.openwall.com/lists/oss-security/2026/04/23/5

activemq.apache.org/....data/CVE-2026-41043-announcement.txt vendor-advisory

cve.org (CVE-2026-41043)

nvd.nist.gov (CVE-2026-41043)

Download JSON