This is an automated email from the ASF dual-hosted git repository.
cshannon pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/main by this push:
new 1069714ce cve announcements
1069714ce is described below
commit 1069714ce497844e11f8ffb77cf0c6827185e97b
Author: Christopher L. Shannon <[email protected]>
AuthorDate: Thu Apr 23 13:13:11 2026 -0400
cve announcements
---
src/components/classic/security.md | 3 ++
.../CVE-2026-40466-announcement.txt | 36 ++++++++++++++++++++++
.../CVE-2026-41043-announcement.txt | 27 ++++++++++++++++
.../CVE-2026-41044-announcement.txt | 33 ++++++++++++++++++++
4 files changed, 99 insertions(+)
diff --git a/src/components/classic/security.md
b/src/components/classic/security.md
index ec766a7cd..1fb2f82e0 100644
--- a/src/components/classic/security.md
+++ b/src/components/classic/security.md
@@ -9,6 +9,9 @@ Details of security problems fixed in released versions of
Apache ActiveMQ Class
See the main [Security Advisories](../../security-advisories) page for details
for other components and general information such as reporting new security
issues.
+*
[CVE-2026-41044](../../security-advisories.data/CVE-2026-41044-announcement.txt)
- Authenticated user can perform RCE via DestinationView MBean exposed by
Jolokia
+*
[CVE-2026-41043](../../security-advisories.data/CVE-2026-41043-announcement.txt)
- ActiveMQ Web Console - XSS vulnerability when browsing queues
+*
[CVE-2026-40466](../../security-advisories.data/CVE-2026-40466-announcement.txt)
- Possible bypass of CVE-2026-34197 via HTTP discovery second-stage URI
*
[CVE-2026-40046](../../security-advisories.data/CVE-2026-40046-announcement.txt)
- Missing fix for CVE-2025-66168: MQTT control packet remaining length field
is not properly validated
*
[CVE-2026-39304](../../security-advisories.data/CVE-2026-39304-announcement.txt)
- Incorrect handling of TLSv1.3 KeyUpdate can be exploited to cause DoS via OOM
*
[CVE-2026-34197](../../security-advisories.data/CVE-2026-34197-announcement.txt)
- Authenticated users could perform RCE via Jolokia MBeans
diff --git a/src/security-advisories.data/CVE-2026-40466-announcement.txt
b/src/security-advisories.data/CVE-2026-40466-announcement.txt
new file mode 100644
index 000000000..8500f0b7c
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-40466-announcement.txt
@@ -0,0 +1,36 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.6
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before
6.2.5
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.6
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.5
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.6
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.5
+
+Description:
+
+Improper Input Validation, Improper Control of Generation of Code ('Code
Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All,
Apache ActiveMQ.
+
+
+
+An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a
connector using an HTTP Discovery transport via BrokerView.addNetworkConnector
or BrokerView.addConnector through Jolokia if the activemq-http module is on
the classpath.
+A malicious HTTP endpoint can return a VM transport through the HTTP URI which
will bypass the validation added in CVE-2026-34197. The attacker can then use
the VM transport's brokerConfig parameter to load a remote Spring XML
application context using ResourceXmlApplicationContext.
+Because Spring's ResourceXmlApplicationContext instantiates all singleton
beans before the BrokerService validates the configuration, arbitrary code
execution occurs on the broker's JVM through bean factory methods such as
Runtime.exec().
+
+
+This issue affects Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before
6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5; Apache
ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5.
+
+Users are recommended to upgrade to version 5.19.6 or 6.2.5, which fixes the
issue.
+
+Credit:
+
+Fatih Ersinadim (finder)
+gggggggga (finder)
+
+References:
+
+https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-40466
diff --git a/src/security-advisories.data/CVE-2026-41043-announcement.txt
b/src/security-advisories.data/CVE-2026-41043-announcement.txt
new file mode 100644
index 000000000..29fb9d2ca
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-41043-announcement.txt
@@ -0,0 +1,27 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.6
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.5
+- Apache ActiveMQ Web (org.apache.activemq:activemq-web) before 5.19.6
+- Apache ActiveMQ Web (org.apache.activemq:activemq-web) 6.0.0 before 6.2.5
+
+Description:
+
+Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.
+
+An authenticated attacker can show malicious content when browsing queues in
the web console by overriding the content type to be HTML (instead of XML) and
by injecting HTML into a JMS selector field.
+
+This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5;
Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5.
+
+Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the
issue.
+
+Credit:
+
+Khaled Alshammri (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-41043
diff --git a/src/security-advisories.data/CVE-2026-41044-announcement.txt
b/src/security-advisories.data/CVE-2026-41044-announcement.txt
new file mode 100644
index 000000000..280b6c15a
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-41044-announcement.txt
@@ -0,0 +1,33 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.6
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.5
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.6
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before
6.2.5
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.6
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.5
+
+Description:
+
+Improper Input Validation, Improper Control of Generation of Code ('Code
Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache
ActiveMQ All.
+
+An authenticated attacker can use the admin web console page to construct a
malicious broker name that bypasses name validation to include an xbean binding
that can be later used by a VM transport to load a remote Spring XML
application.
+The attacker can then use the DestinationView mbean to send a message to
trigger a VM transport creation that will reference this malicious broker name
which can lead to loading the malicious Spring XML context file.
+
+
+Because Spring's ResourceXmlApplicationContext instantiates all singleton
beans before the BrokerService validates the configuration, arbitrary code
execution occurs on the broker's JVM through bean factory methods such as
Runtime.exec().
+
+This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5;
Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ
All: before 5.19.6, from 6.0.0 before 6.2.5.
+
+Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the
issue.
+
+Credit:
+
+jsjcw (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-41044
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact