CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-52760

mediumCVSS 6.1covered by 1 sourcefirst seen 2026-06-30
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web Console. The browse page in the web console renders a message Id directly without sanitization. This allows an authenticated producer to send a message with a JMS message ID that has been crafted to contain HTML/JavaScript such that when an administrator browses the queue in the Web Console, the payload executes in their browser. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Web Console: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

⚡ Watch CVE-2026-52760

Get an email if CVE-2026-52760 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-52760

CVE.org record

Embed the live status

CVE-2026-52760 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-52760 status](https://www.csirts.com/badge/CVE-2026-52760)](https://www.csirts.com/cve/CVE-2026-52760)