Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3474 articles · 175721 vulns · 37/41 feeds (7d)
← Back to list
6.1
CVE-2026-52760PATCHED
apache software foundation · apache activemq

Apache ActiveMQ, Apache ActiveMQ Web Console: Stored XSS via Unescaped values in ActiveMQ Web Console

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web Console. The browse page in the web console renders a message Id directly without sanitization. This allows an authenticated producer to send a message with a JMS message ID that has been crafted to contain HTML/JavaScript such that when an administrator browses the queue in the Web Console, the payload executes in their browser. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Web Console: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

Affected Products

VendorProductVersions
apache software foundationapache activemq0, 6.0.0, 0, 6.0.0

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
apacheactivemqcert_advisory90%

References

  • https://lists.apache.org/thread/d3mhyo2116nomz2lwxppyy4pclvdxq3n(vendor-advisory)

Related News (2 articles)

Tier B
BSI Advisories6h ago
[NEU] [mittel] Apache ActiveMQ: Schwachstelle ermöglicht Cross-Site Scripting
→ No new info (linked only)
Tier C
VulDB14d ago
CVE-2026-52760 | Apache ActiveMQ/ActiveMQ Web Console up to 5.19.7/6.2.6 cross site scripting
→ No new info (linked only)
CVSS 3.16.1 MEDIUM
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA KEV❌ No
Actively exploited❌ No
Patch available
5.19.86.2.7
CWECWE-79
PublishedJun 30, 2026
Last enriched13d ago
Trending Score34
Source articles2
Independent2
Info Completeness0/14
Missing: cve_id, title, description, vendor, product, versions, cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-59084EXP
Apache Tomcat: EncryptInterceptor requirements not clearly documented
Trending: 78
CRITICALCVE-2026-59083EXP
Apache Tomcat: Incorrect URL decoding in RewriteValve may allow security control bypass
Trending: 78
NONECVE-2026-49098
Apache Camel: Camel-Kafka: The kafka.OVERRIDE_TOPIC (and other kafka.*) Exchange header constants used non-Camel-prefixed names that bypass the upstream HTTP header filter, allowing an HTTP client to redirect Kafka messages to an arbitrary topic
Trending: 17
NONECVE-2026-49365
Apache Camel: Camel-Netty-HTTP: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients
Trending: 17
NONECVE-2026-49099
Apache Camel Salesforce: Non-Camel-prefixed Exchange header constants bypass the HTTP header filter, allowing an HTTP client to influence internal behaviour
Trending: 17

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jun 30, 2026
Discovered by ZDM
Jun 30, 2026
Patch Available
Jun 30, 2026