CVE-2026-42253

MEDIUM

Apache ActiveMQ, Apache ActiveMQ Web: HTTP Response Header Injection via JMS Message Properties

Title source: cna

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This can allow overwriting and injecting security headers by setting them on JMS messages that are returned by the servlet. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ Web: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue. The MessageServlet has now been deprecated and disabled by default.

References (2)

Core 2

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/31/17

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/j9vmlc410ht5f28fc98gx75jcbq62j00

Scores

CVSS v3 6.1

EPSS 0.0042

EPSS Percentile 33.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (6)

apache/activemq < 5.19.7

apache/activemq_web < 5.19.7

Apache Software Foundation/Apache ActiveMQ < 5.19.7

Apache Software Foundation/Apache ActiveMQ 6.0.0 - 6.2.6

Apache Software Foundation/Apache ActiveMQ Web < 5.19.7

Apache Software Foundation/Apache ActiveMQ Web 6.0.0 - 6.2.6

Published Jun 01, 2026

Tracked Since Jun 01, 2026