CVE-2026-52760 | Improper Neutralization of Input During Web Page Generation …

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web Console. The browse page in the web console renders a message Id directly without sanitization. This allows an authenticated producer to send a message with a JMS message ID that has been crafted to contain HTML/JavaScript such that when an administrator browses the queue in the Web Console, the payload executes in their browser. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Web Console: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

Metadata

CVE ID: CVE-2026-52760
State: PUBLISHED
Assigner: apache
Reserved: 2026-06-08 15:39 UTC
Published: 2026-06-30 09:50 UTC
Last updated: 2026-06-30 11:06 UTC
Primary CWE: CWE-79
CWE-79 Improper Neutralization of Input During Web Page Gene…
Vendor / Product: Apache Software Foundation / Apache ActiveMQ
Sources: cve.org · NVD

Severity & Metrics

No CVSS data available.

Affected products (2)

Vendor	Product	Platform	Versions
Apache Software Foundation	Apache ActiveMQ	—	0 < 5.19.8, 6.0.0 < 6.2.7
Apache Software Foundation	Apache ActiveMQ Web Console	—	0 < 5.19.8, 6.0.0 < 6.2.7

Weakness (CWE)

CWE	Source	Description
CWE-79	cna	CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

References (1)

https://lists.apache.org/thread/d3mhyo2116nomz2lwxppyy4pclvdxq3n