CVE-2026-52760
Apache ActiveMQ, Apache ActiveMQ Web Console: Stored XSS via Unescaped values in ActiveMQ Web Console
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web Console. The browse page in the web console renders a message Id directly without sanitization. This allows an authenticated producer to send a message with a JMS message ID that has been crafted to contain HTML/JavaScript such that when an administrator browses the queue in the Web Console, the payload executes in their browser. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Web Console: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
| CWE | CWE-79 |
| Vendor | apache software foundation |
| Product | apache activemq |
| Published | Jun 30, 2026 |
| Last Updated | Jun 30, 2026 |
Get instant alerts for apache software foundation apache activemq
Be the first to know when new unknown vulnerabilities affecting apache software foundation apache activemq are published — delivered to Slack, Telegram or Discord.