CVE-2026-42253
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.
The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This can allow overwriting and injecting security headers by setting them on JMS messages that are returned by the servlet.
This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ Web: before 5.19.7, from 6.0.0 before 6.2.6.
Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue. The MessageServlet has now been deprecated and disabled by default.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
5cpe:2.3:a:apache:activemq_web:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:apache:activemq_web:*:*:*:*:*:*:*:*range: <5.19.7
- (no CPE)range: <5.19.7, >=6.0.0 <6.2.6
Patches
Vulnerability mechanics
References
2- www.openwall.com/lists/oss-security/2026/05/31/17nvdMailing ListThird Party Advisory
- lists.apache.org/thread/j9vmlc410ht5f28fc98gx75jcbq62j00nvdMailing ListVendor Advisory
News mentions
2- ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and MoreThe Hacker News · Jun 8, 2026
- Critical Apache ActiveMQ Vulnerability Allows Malicious Security Header InjectionsCyber Security News · Jun 3, 2026