Critical Apache ActiveMQ Vulnerability Exposes Systems to Security Header Injection Attacks

Apache ActiveMQ has two disclosed vulnerabilities: CVE-2026-42253 (HTTP response header injection via MessageServlet allowing header manipulation leading to XSS, session hijack, cache poisoning, etc.) and CVE-2026-49157 (overly permissive Jolokia authorization permitting low-privilege users to perform management operations). Both affect ActiveMQ versions before 5.19.7 and 6.x releases prior to 6.2.6; Apache patched the issues by disabling the vulnerable servlet by default and recommends immediate upgrades, restricting management interfaces, and auditing JMS message flows.