This is an automated email from the ASF dual-hosted git repository.

cshannon pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-website.git


The following commit(s) were added to refs/heads/main by this push:
     new bdf005a21 Add new CVE announcements
bdf005a21 is described below

commit bdf005a21fb9d37d8ba39de05b9e740de6da1f16
Author: Christopher L. Shannon <[email protected]>
AuthorDate: Mon Jun 29 15:05:38 2026 -0400

    Add new CVE announcements
---
 src/components/classic/security.md                 |  9 +++++++
 .../CVE-2026-49432-announcement.txt                | 31 ++++++++++++++++++++++
 .../CVE-2026-49434-announcement.txt                | 29 ++++++++++++++++++++
 .../CVE-2026-49877-announcement.txt                | 24 +++++++++++++++++
 .../CVE-2026-50734-announcement.txt                | 28 +++++++++++++++++++
 .../CVE-2026-50750-announcement.txt                | 24 +++++++++++++++++
 .../CVE-2026-50760-announcement.txt                | 26 ++++++++++++++++++
 .../CVE-2026-53916-announcement.txt                | 29 ++++++++++++++++++++
 .../CVE-2026-53917-announcement.txt                | 30 +++++++++++++++++++++
 .../CVE-2026-54475-announcement.txt                | 29 ++++++++++++++++++++
 10 files changed, 259 insertions(+)

diff --git a/src/components/classic/security.md 
b/src/components/classic/security.md
index 24222e7f3..c9d64cebc 100644
--- a/src/components/classic/security.md
+++ b/src/components/classic/security.md
@@ -9,6 +9,15 @@ Details of security problems fixed in released versions of 
Apache ActiveMQ Class
 
 See the main [Security Advisories](../../security-advisories) page for details 
for other components and general information such as reporting new security 
issues.
 
+*   
[CVE-2026-54475](../../security-advisories.data/CVE-2026-54475-announcement.txt)
 - Authenticated low-privilege Web users retain Jolokia broker-management 
capability by default
+*   
[CVE-2026-53917](../../security-advisories.data/CVE-2026-53917-announcement.txt)
 - Authenticated low-privilege Web users retain Jolokia broker-management 
capability by default
+*   
[CVE-2026-53916](../../security-advisories.data/CVE-2026-49157-announcement.txt)
 - Authenticated low-privilege Web users retain Jolokia broker-management 
capability by default
+*   
[CVE-2026-50760](../../security-advisories.data/CVE-2026-50760-announcement.txt)
 - Authenticated low-privilege Web users retain Jolokia broker-management 
capability by default
+*   
[CVE-2026-50750](../../security-advisories.data/CVE-2026-50750-announcement.txt)
 - Authenticated low-privilege Web users retain Jolokia broker-management 
capability by default
+*   
[CVE-2026-50734](../../security-advisories.data/CVE-2026-50734-announcement.txt)
 - Authenticated low-privilege Web users retain Jolokia broker-management 
capability by default
+*   
[CVE-2026-49877](../../security-advisories.data/CVE-2026-49877-announcement.txt)
 - Authenticated low-privilege Web users retain Jolokia broker-management 
capability by default
+*   
[CVE-2026-49434](../../security-advisories.data/CVE-2026-49434-announcement.txt)
 - Authenticated low-privilege Web users retain Jolokia broker-management 
capability by default
+*   
[CVE-2026-49432](../../security-advisories.data/CVE-2026-49432-announcement.txt)
 - Authenticated low-privilege Web users retain Jolokia broker-management 
capability by default
 *   
[CVE-2026-49270](../../security-advisories.data/CVE-2026-49270-announcement.txt)
 - Durable Subscription Disclosure via Crafted BrokerInfo (OpenWire)
 *   
[CVE-2026-49157](../../security-advisories.data/CVE-2026-49157-announcement.txt)
 - Authenticated low-privilege Web users retain Jolokia broker-management 
capability by default
 *   
[CVE-2026-46605](../../security-advisories.data/CVE-2026-46605-announcement.txt)
 - Incomplete authorization during destination removal
diff --git a/src/security-advisories.data/CVE-2026-49432-announcement.txt 
b/src/security-advisories.data/CVE-2026-49432-announcement.txt
new file mode 100644
index 000000000..a53910745
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-49432-announcement.txt
@@ -0,0 +1,31 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.8
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.8
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.7
+- Apache ActiveMQ Stomp (org.apache.activemq:activemq-stomp) before 5.19.8
+- Apache ActiveMQ Stomp (org.apache.activemq:activemq-stomp) 6.0.0 before 6.2.7
+
+Description:
+
+Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ 
All, Apache ActiveMQ Stomp.
+
+A remote unauthenticated peer that can reach an exposed STOMP connector can 
trigger denial-of-service behavior by sending a negative content-length. For 
the NIO STOMP transport, an attacker can keep streaming body bytes and grow the 
per-connection command buffer beyond configured limits to cause OOM. For the 
blocking STOMP protocol, an error will instead force abnormal transport 
exception handling for the affected connection and closure.
+This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; 
Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ 
Stomp: before 5.19.8, from 6.0.0 before 6.2.7.
+
+
+
+
+Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the 
issue.
+
+Credit:
+
+Youngjoon Kim (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-49432
diff --git a/src/security-advisories.data/CVE-2026-49434-announcement.txt 
b/src/security-advisories.data/CVE-2026-49434-announcement.txt
new file mode 100644
index 000000000..9cc137058
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-49434-announcement.txt
@@ -0,0 +1,29 @@
+Severity: moderate
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.8
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 
6.2.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.8
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.8
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.7
+
+Description:
+
+Improper Input Validation vulnerability in Apache ActiveMQ Broker, Apache 
ActiveMQ, Apache ActiveMQ All.
+
+An attacker that has access to publish or modify entries in LDAP that match 
the configured searchBase and searchFilter can instantiate denied transports 
inside the broker JVM. This can be used to fetch an attacker URL and spawn a 
second BrokerService inside the same JVM.
+This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 
6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ 
All: before 5.19.8, from 6.0.0 before 6.2.7.
+
+
+Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the 
issue.
+
+Credit:
+
+@Add Content (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-49434
diff --git a/src/security-advisories.data/CVE-2026-49877-announcement.txt 
b/src/security-advisories.data/CVE-2026-49877-announcement.txt
new file mode 100644
index 000000000..7f1c3a9ab
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-49877-announcement.txt
@@ -0,0 +1,24 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.8
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.7
+
+Description:
+
+Improper Authorization vulnerability in Apache ActiveMQ.
+
+An authenticated low-privilege Web Console user by default can access /admin/* 
paths in the Web Console. The default Jetty settings incorrectly did not limit 
those paths to only admins.
+This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.
+
+Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the 
issue.
+
+Credit:
+
+Leon Johnson (github: lokerxx) (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-49877
diff --git a/src/security-advisories.data/CVE-2026-50734-announcement.txt 
b/src/security-advisories.data/CVE-2026-50734-announcement.txt
new file mode 100644
index 000000000..5f4cc08a5
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-50734-announcement.txt
@@ -0,0 +1,28 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ Client (org.apache.activemq:activemq-client) before 5.19.8
+- Apache ActiveMQ Client (org.apache.activemq:activemq-client) 6.0.0 before 
6.2.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.8
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.8
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.7
+
+Description:
+
+Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ 
Client, Apache ActiveMQ, Apache ActiveMQ All.
+
+An unauthenticated network attacker can cause a broker DoS by sending a 
crafted WireFormatInfo frame with a malicious large size value. The value is 
not validate and causes the broker to attempt allocation during pre-auth 
negotiation which can trigger OOM and crash the broker.
+This issue affects Apache ActiveMQ Client: before 5.19.8, from 6.0.0 before 
6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ 
All: before 5.19.8, from 6.0.0 before 6.2.7.
+
+Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the 
issue.
+
+Credit:
+
+Andrej Tomci (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-50734
diff --git a/src/security-advisories.data/CVE-2026-50750-announcement.txt 
b/src/security-advisories.data/CVE-2026-50750-announcement.txt
new file mode 100644
index 000000000..ca1652d77
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-50750-announcement.txt
@@ -0,0 +1,24 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 5.19.7 before 
5.19.8
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.2.6 before 
6.2.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 5.19.7 before 5.19.8
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.2.6 before 6.2.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 5.19.7 before 5.19.8
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.2.6 before 6.2.7
+
+Description:
+
+Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Broker, 
Apache ActiveMQ, Apache ActiveMQ All.
+
+Following the fix for  CVE-2026-49270 an unauthenticated attacker can now 
cause broker OOM by sending an repeated BrokerInfo commands without sending a 
ConnectionInfo, until the broker will crash with OOM.
+This issue affects Apache ActiveMQ Broker: from 5.19.7 before 5.19.8, from 
6.2.6 before 6.2.7; Apache ActiveMQ: from 5.19.7 before 5.19.8, from 6.2.6 
before 6.2.7; Apache ActiveMQ All: from 5.19.7 before 5.19.8, from 6.2.6 before 
6.2.7.
+
+Users are recommended to upgrade to version 6.2.7, which fixes the issue.
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-50750
diff --git a/src/security-advisories.data/CVE-2026-50760-announcement.txt 
b/src/security-advisories.data/CVE-2026-50760-announcement.txt
new file mode 100644
index 000000000..b5322d965
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-50760-announcement.txt
@@ -0,0 +1,26 @@
+Severity: moderate
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.8
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.7
+- Apache ActiveMQ Web Console (org.apache.activemq:apache-web-console) before 
5.19.8
+- Apache ActiveMQ Web Console (org.apache.activemq:apache-web-console) 6.0.0 
before 6.2.7
+
+Description:
+
+Improper Neutralization of Input During Web Page Generation ('Cross-site 
Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web Console.
+
+The browse page in the web console renders a message Id directly without 
sanitization. This allows an authenticated producer to send a message with a 
JMS message ID that has been crafted to contain HTML/JavaScript such that when 
an administrator browses the queue in the Web Console, the payload executes in 
their browser.
+This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; 
Apache ActiveMQ Web Console: before 5.19.8, from 6.0.0 before 6.2.7.
+
+Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the 
issue.
+
+Credit:
+
+Biswajeet Ray (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-52760
diff --git a/src/security-advisories.data/CVE-2026-53916-announcement.txt 
b/src/security-advisories.data/CVE-2026-53916-announcement.txt
new file mode 100644
index 000000000..1396d4335
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-53916-announcement.txt
@@ -0,0 +1,29 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.8
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.8
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.7
+- Apache ActiveMQ Stomp (org.apache.activemq:activemq-stomp) before 5.19.8
+- Apache ActiveMQ Stomp (org.apache.activemq:activemq-stomp) 6.0.0 before 6.2.7
+
+Description:
+
+Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, 
Apache ActiveMQ All, Apache ActiveMQ Stomp.
+
+
+An unauthenticated client that opens a STOMP NIO connection can send header 
bytes that never terminate which makes the broker buffer them without limit, 
exhausting the JVM heap.
+This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; 
Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ 
Stomp: before 5.19.8, from 6.0.0 before 6.2.7.
+
+Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the 
issue.
+
+Credit:
+
+tonghuaroot (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-53916
diff --git a/src/security-advisories.data/CVE-2026-53917-announcement.txt 
b/src/security-advisories.data/CVE-2026-53917-announcement.txt
new file mode 100644
index 000000000..ef7f71f09
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-53917-announcement.txt
@@ -0,0 +1,30 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.8
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.8
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.7
+- Apache ActiveMQ Client (org.apache.activemq:activemq-client) before 5.19.8
+- Apache ActiveMQ Client (org.apache.activemq:activemq-client) 6.0.0 before 
6.2.7
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.8
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 
6.2.7
+
+Description:
+
+Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, 
Apache ActiveMQ All, Apache ActiveMQ Client, Apache ActiveMQ Broker.
+
+An authenticated user can cause a broker DoS by sending a crafted OpenWire 
Message with a large encoded size value for the map. OpenWire message property 
maps are unmarshaled without size validation which can trigger OOM and crash 
the broker.
+This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; 
Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ 
Client: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Broker: before 
5.19.8, from 6.0.0 before 6.2.7.
+
+Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the 
issue.
+
+Credit:
+
+tonghuaroot (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-53917
diff --git a/src/security-advisories.data/CVE-2026-54475-announcement.txt 
b/src/security-advisories.data/CVE-2026-54475-announcement.txt
new file mode 100644
index 000000000..debd90c34
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-54475-announcement.txt
@@ -0,0 +1,29 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.8
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 
6.2.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.8
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.8
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.7
+
+Description:
+
+Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ 
All, Apache ActiveMQ.
+
+Apache ActiveMQ Classic temporary destinations are expected to be isolated to 
the connection that created them. The isolation can be broken as this is only 
checked in the client, allowing a different connection to consume from another 
connection's temporary
+destination.
+This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 
6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache 
ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.
+
+Users are recommended to upgrade to version 6.2.7, which fixes the issue.
+
+Credit:
+
+Leon Johnson (github: lokerxx) (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-54475


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact


Reply via email to