Are the reports not showing up for you? I added everything yesterday and as far as I can tell it was updated fine.
On Mon, Jun 1, 2026 at 11:10 AM Casey A. Owen <[email protected]> wrote: > > Christopher, can you please ensure this latest round of CVEs is added to the > Apache ActiveMQ security advisories > (https://activemq.apache.org/components/classic/security)? > > Thanks, > > > Casey Owen | Sr Applications Analyst > Southwest Power Pool > > -----Original Message----- > From: Christopher L. Shannon <[email protected]> > Sent: Sunday, May 31, 2026 11:18 AM > To: [email protected]; [email protected] > Subject: **External Email** CVE-2026-49270: Apache ActiveMQ Broker, Apache > ActiveMQ, Apache ActiveMQ All: Durable Subscription Disclosure via Crafted > BrokerInfo (OpenWire) > > STOP! This is NOT an SPP email. > Be very cautious of any links or attachments unless you recognize this sender > and are expecting this email. > Please click the "Report Phish" button if you are unsure about this email. > > Severity: moderate > > Affected versions: > > - Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 5.14.0 before > 5.19.7 > - Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before > 6.2.6 > - Apache ActiveMQ (org.apache.activemq:activemq-all) 5.14.0 before 5.19.7 > - Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.6 > - Apache ActiveMQ All (org.apache.activemq:apache-activemq) 5.14.0 before > 5.19.7 > - Apache ActiveMQ All (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6 > > Description: > > Exposure of Sensitive Information Through Metadata vulnerability in Apache > ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. > > Brokers that are configured with a network connector with syncDurableSubs set > to true, are vulnerable to an unauthenticated attacker who can receive a list > of all durable topic subscriptions in the broker, including client > identifiers, subscription names, topic destinations, and JMS selector > expressions, by sending a BrokerInfo command. The broker incorrectly responds > without first ensuring the connection is authenticated. > This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before > 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache > ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6. > > Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the > issue. > > Credit: > > Basel Khaled (finder) > > References: > > https://activemq.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2026-49270 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] For further > information, visit: https://activemq.apache.org/contact > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information, visit: https://activemq.apache.org/contact
