CVE-2026-42253
Stored XSS in Apache ActiveMQ Web Console API
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | activemq | From 6.0.0 (inc) to 6.2.6 (exc) |
| apache | activemq_web | From 6.0.0 (inc) to 6.2.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-42253 is a vulnerability in Apache ActiveMQ and Apache ActiveMQ Web involving improper neutralization of input during web page generation, leading to Cross-site Scripting (XSS).
Specifically, the MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without validating the input. This allows attackers to inject or overwrite security headers by setting malicious properties on JMS messages returned by the servlet.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform Cross-site Scripting (XSS) attacks by injecting malicious content into HTTP response headers.
Such attacks can lead to unauthorized actions in the context of a user's browser, potentially compromising user data, session tokens, or security controls.
Additionally, attackers can overwrite security headers, weakening the security posture of the affected web application.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the MessageServlet in the Apache ActiveMQ web console API copying JMS message properties into HTTP response headers without validation, which can lead to HTTP response header injection and cross-site scripting (XSS).
To detect this vulnerability on your system, you can monitor HTTP responses from the ActiveMQ web console for unexpected or suspicious HTTP headers that reflect JMS message properties.
While no specific detection commands are provided in the available resources, you can use tools like curl or browser developer tools to inspect HTTP response headers for anomalies.
- Use curl to send a request to the ActiveMQ web console and inspect response headers: curl -I http://<activemq-host>:<port>/api/message
- Use browser developer tools (Network tab) to examine HTTP response headers for injected or unexpected headers.
- Check JMS messages for properties that could be reflected in HTTP headers, indicating potential injection points.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Apache ActiveMQ and Apache ActiveMQ Web to versions 5.19.7 or 6.2.6 or later, where the vulnerability has been fixed.
In these fixed versions, the MessageServlet has been deprecated and disabled by default, preventing the vulnerability from being exploitable.
Until you can upgrade, consider disabling the MessageServlet if possible to reduce exposure.