Main Vulnerability Database Vulnerabilities #VU133394

Cross-site scripting in ActiveMQ - CVE-2026-42253

Published: June 4, 2026

Vulnerability identifier: #VU133394

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2026-42253

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
ActiveMQ

Detailed vulnerability description

The vulnerability allows a remote attacker to inject or overwrite HTTP response headers.

The vulnerability exists due to improper neutralization of input during web page generation in the MessageServlet in the ActiveMQ web console API when copying JMS message properties into HTTP response headers. A remote attacker can set crafted JMS message properties to inject or overwrite HTTP response headers.

The issue affects messages returned by the servlet.

How to mitigate CVE-2026-42253

Install security update from vendor's website.

Cross-site scripting in ActiveMQ - CVE-2026-42253

Detailed vulnerability description

How to mitigate CVE-2026-42253

Sources

Please verify you're human