This is an automated email from the ASF dual-hosted git repository.

cshannon pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-website.git


The following commit(s) were added to refs/heads/main by this push:
     new 1069714ce cve announcements
1069714ce is described below

commit 1069714ce497844e11f8ffb77cf0c6827185e97b
Author: Christopher L. Shannon <[email protected]>
AuthorDate: Thu Apr 23 13:13:11 2026 -0400

    cve announcements
---
 src/components/classic/security.md                 |  3 ++
 .../CVE-2026-40466-announcement.txt                | 36 ++++++++++++++++++++++
 .../CVE-2026-41043-announcement.txt                | 27 ++++++++++++++++
 .../CVE-2026-41044-announcement.txt                | 33 ++++++++++++++++++++
 4 files changed, 99 insertions(+)

diff --git a/src/components/classic/security.md 
b/src/components/classic/security.md
index ec766a7cd..1fb2f82e0 100644
--- a/src/components/classic/security.md
+++ b/src/components/classic/security.md
@@ -9,6 +9,9 @@ Details of security problems fixed in released versions of 
Apache ActiveMQ Class
 
 See the main [Security Advisories](../../security-advisories) page for details 
for other components and general information such as reporting new security 
issues.
 
+*   
[CVE-2026-41044](../../security-advisories.data/CVE-2026-41044-announcement.txt)
 - Authenticated user can perform RCE via DestinationView MBean exposed by 
Jolokia
+*   
[CVE-2026-41043](../../security-advisories.data/CVE-2026-41043-announcement.txt)
 - ActiveMQ Web Console -  XSS vulnerability when browsing queues
+*   
[CVE-2026-40466](../../security-advisories.data/CVE-2026-40466-announcement.txt)
 - Possible bypass of CVE-2026-34197 via HTTP discovery second-stage URI
 *   
[CVE-2026-40046](../../security-advisories.data/CVE-2026-40046-announcement.txt)
 - Missing fix for CVE-2025-66168: MQTT control packet remaining length field 
is not properly validated
 *   
[CVE-2026-39304](../../security-advisories.data/CVE-2026-39304-announcement.txt)
 - Incorrect handling of TLSv1.3 KeyUpdate can be exploited to cause DoS via OOM
 *   
[CVE-2026-34197](../../security-advisories.data/CVE-2026-34197-announcement.txt)
 - Authenticated users could perform RCE via Jolokia MBeans
diff --git a/src/security-advisories.data/CVE-2026-40466-announcement.txt 
b/src/security-advisories.data/CVE-2026-40466-announcement.txt
new file mode 100644
index 000000000..8500f0b7c
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-40466-announcement.txt
@@ -0,0 +1,36 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.6
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 
6.2.5
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.6
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.5
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.6
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.5
+
+Description:
+
+Improper Input Validation, Improper Control of Generation of Code ('Code 
Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, 
Apache ActiveMQ.
+
+
+
+An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a 
connector using an HTTP Discovery transport via BrokerView.addNetworkConnector 
or BrokerView.addConnector through Jolokia if the activemq-http module is on 
the classpath.
+A malicious HTTP endpoint can return a VM transport through the HTTP URI which 
will bypass the validation added in CVE-2026-34197. The attacker can then use 
the VM transport's brokerConfig parameter to load a remote Spring XML 
application context using ResourceXmlApplicationContext.
+Because Spring's ResourceXmlApplicationContext instantiates all singleton 
beans before the BrokerService validates the configuration, arbitrary code 
execution occurs on the broker's JVM through bean factory methods such as 
Runtime.exec().
+
+
+This issue affects Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 
6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5; Apache 
ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5.
+
+Users are recommended to upgrade to version 5.19.6 or 6.2.5, which fixes the 
issue.
+
+Credit:
+
+Fatih Ersinadim (finder)
+gggggggga (finder)
+
+References:
+
+https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-40466
diff --git a/src/security-advisories.data/CVE-2026-41043-announcement.txt 
b/src/security-advisories.data/CVE-2026-41043-announcement.txt
new file mode 100644
index 000000000..29fb9d2ca
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-41043-announcement.txt
@@ -0,0 +1,27 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.6
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.5
+- Apache ActiveMQ Web (org.apache.activemq:activemq-web) before 5.19.6
+- Apache ActiveMQ Web (org.apache.activemq:activemq-web) 6.0.0 before 6.2.5
+
+Description:
+
+Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 
vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.
+
+An authenticated attacker can show malicious content when browsing queues in 
the web console by overriding the content type to be HTML (instead of XML) and 
by injecting HTML into a JMS selector field.
+
+This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; 
Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5.
+
+Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the 
issue.
+
+Credit:
+
+Khaled Alshammri (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-41043
diff --git a/src/security-advisories.data/CVE-2026-41044-announcement.txt 
b/src/security-advisories.data/CVE-2026-41044-announcement.txt
new file mode 100644
index 000000000..280b6c15a
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-41044-announcement.txt
@@ -0,0 +1,33 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.6
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.5
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.6
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 
6.2.5
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.6
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.5
+
+Description:
+
+Improper Input Validation, Improper Control of Generation of Code ('Code 
Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache 
ActiveMQ All.
+
+An authenticated attacker can use the admin web console page to construct a 
malicious broker name that bypasses name validation to include an xbean binding 
that can be later used by a VM transport to load a remote Spring XML 
application.
+The attacker can then use the DestinationView mbean to send a message to 
trigger a VM transport creation that will reference this malicious broker name 
which can lead to loading the malicious Spring XML context file.
+
+
+Because Spring's ResourceXmlApplicationContext instantiates all singleton 
beans before the BrokerService validates the configuration, arbitrary code 
execution occurs on the broker's JVM through bean factory methods such as 
Runtime.exec().
+
+This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; 
Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ 
All: before 5.19.6, from 6.0.0 before 6.2.5.
+
+Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the 
issue.
+
+Credit:
+
+jsjcw (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-41044


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact


Reply via email to