Medium severity6.5NVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026
CVE-2026-41043
CVE-2026-41043
Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.
An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by injecting HTML into a JMS selector field.
This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5.
Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.activemq:apache-activemqMaven | < 5.19.6 | 5.19.6 |
org.apache.activemq:activemq-allMaven | < 5.19.6 | 5.19.6 |
org.apache.activemq:activemq-brokerMaven | < 5.19.6 | 5.19.6 |
org.apache.activemq:apache-activemqMaven | >= 6.0.0, < 6.2.5 | 6.2.5 |
org.apache.activemq:activemq-allMaven | >= 6.0.0, < 6.2.5 | 6.2.5 |
org.apache.activemq:activemq-brokerMaven | >= 6.0.0, < 6.2.5 | 6.2.5 |
Affected products
8- osv-coords6 versionspkg:apk/chainguard/geoserver-2.27-communitypkg:apk/chainguard/geoserver-2.28-communitypkg:bitnami/activemqpkg:maven/org.apache.activemq/activemq-allpkg:maven/org.apache.activemq/activemq-brokerpkg:maven/org.apache.activemq/apache-activemq
< 2.27.5-r9+ 5 more
- (no CPE)range: < 2.27.5-r9
- (no CPE)range: < 2.28.3-r7
- (no CPE)range: < 5.19.6
- (no CPE)range: < 5.19.6
- (no CPE)range: < 5.19.6
- (no CPE)range: < 5.19.6
Patches
Vulnerability mechanics
References
4- activemq.apache.org/security-advisories.data/CVE-2026-41043-announcement.txtnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-2jp3-2923-9h52ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41043ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/04/23/5nvdMailing ListWEB
News mentions
0No linked articles in our index yet.