GHSA-mr6m-xj7v-3cv3 · Severity: high · Ecosystem: maven — Apache ActiveMQ Vulnerable to Code Injection
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to include an xbean binding that can be later used by a VM transport to load a remote Spring XML application. The attacker can then use the DestinationView mbean to send a message to trigger a VM transport creation that will reference this malicious broker name which can lead to loading the malicious Spring XML context file. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.
Conclusion & alert: CVE-2026-41044 is rated Moderate Risk (41.8/100): CVSS High severity, with low exploitation likelihood (EPSS 0.06%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-04-24 | — | 0.06% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-mr6m-xj7v-3cv3 · Severity: high · Ecosystem: maven — Apache ActiveMQ Vulnerable to Code Injection
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2026-41044 not yet assigned priority: Debian including 1 source packages (activemq), 4 status rows across 4 suites (bookworm, bullseye, sid, trixie): open 4. | https://security-tracker.debian.org/tracker/CVE-2026-41044 |
ubuntu
|
medium | CVE-2026-41044 medium priority: Ubuntu including 1 source packages (activemq), 8 status rows across 8 suites (bionic, focal, jammy, noble, questing, resolute, upstream, xenial): needs-triage 8. | https://ubuntu.com/security/CVE-2026-41044 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| apache | activemq | < 5.19.6 | cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* |
| apache | activemq | >= 6.0.0, < 6.2.5 | cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* |
| apache | activemq_broker | < 5.19.6 | cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:* |
| apache | activemq_broker | >= 6.0.0, < 6.2.5 | cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://activemq.apache.org/security-advisories.data/CVE-2026-41044-announcement.txt | Mailing List Vendor Advisory |
| http://www.openwall.com/lists/oss-security/2026/04/23/6 | Mailing List Third Party Advisory |