Medium severity6.5NVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026
CVE-2026-41043
CVE-2026-41043
Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.
An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by injecting HTML into a JMS selector field.
This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5.
Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.activemq:apache-activemqMaven | < 5.19.6 | 5.19.6 |
org.apache.activemq:activemq-allMaven | < 5.19.6 | 5.19.6 |
org.apache.activemq:activemq-brokerMaven | < 5.19.6 | 5.19.6 |
org.apache.activemq:apache-activemqMaven | >= 6.0.0, < 6.2.5 | 6.2.5 |
org.apache.activemq:activemq-allMaven | >= 6.0.0, < 6.2.5 | 6.2.5 |
org.apache.activemq:activemq-brokerMaven | >= 6.0.0, < 6.2.5 | 6.2.5 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- activemq.apache.org/security-advisories.data/CVE-2026-41043-announcement.txtnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-2jp3-2923-9h52ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41043ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/04/23/5nvdMailing ListWEB
News mentions
2- 20th April – Threat Intelligence ReportCheck Point Research · Apr 20, 2026
- Siemens Opcenter RDnLCISA Alerts