CVE-2026-41043

Source
https://cve.org/CVERecord?id=CVE-2026-41043
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41043.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-41043
Aliases
Downstream
Related
Published
2026-04-24T10:16:23.810Z
Modified
2026-07-08T08:13:12.975325400Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Apache ActiveMQ, Apache ActiveMQ Web: ActiveMQ Web Console - XSS vulnerability when browsing queues
Details

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.

An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by injecting HTML into a JMS selector field.

This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5.

Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "5.19.6"
                },
                {
                    "introduced": "6.0.0"
                },
                {
                    "fixed": "6.2.5"
                },
                {
                    "fixed": "5.19.6"
                },
                {
                    "introduced": "6.0.0"
                },
                {
                    "fixed": "6.2.5"
                }
            ]
        },
        {
            "source": "DESCRIPTION",
            "extracted_events": [
                {
                    "fixed": "5.19.6"
                },
                {
                    "introduced": "6.0.0"
                },
                {
                    "fixed": "6.2.5"
                },
                {
                    "fixed": "5.19.6"
                },
                {
                    "introduced": "6.0.0"
                },
                {
                    "fixed": "6.2.5"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41043.json",
    "cna_assigner": "apache",
    "cwe_ids": [
        "CWE-79",
        "CWE-915"
    ]
}
References

Affected packages

Git / github.com/apache/activemq

Affected ranges

Type
GIT
Repo
https://github.com/apache/activemq
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.19.6"
        },
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.2.5"
        }
    ]
}

Affected versions

activemq-5.*
activemq-5.10.0
activemq-5.11.0
activemq-5.12.0
activemq-5.13.0
activemq-5.14.0
activemq-5.15.0
activemq-5.16.0
activemq-5.18.0
activemq-5.18.1
activemq-5.18.2
activemq-5.18.3
activemq-5.18.4
activemq-5.18.5
activemq-5.18.6
activemq-5.19.0
activemq-5.19.1
activemq-5.19.2
activemq-5.9.0
activemq-6.*
activemq-6.0.0
activemq-6.1.0
activemq-6.1.1
activemq-6.1.2
activemq-6.2.0
activemq-6.2.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41043.json"