Skip to main content

Confluence

28 CVEs product

Monthly

CVE-2025-13523 Go HIGH PATCH This Week

Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via sending a specially crafted OAuth2 connection link that, when visited, renders the attacker's display name without proper sanitization. [CVSS 7.7 HIGH]

Confluence Suse
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-21569 HIGH This Week

XXE injection in Atlassian Crowd Data Center and Server 7.1.0+ enables authenticated attackers to read local and remote files, significantly compromising confidentiality and availability. The vulnerability requires high privileges to exploit but accepts no user interaction, affecting multiple Crowd versions until patching to 7.1.3 or later. No patch is currently available for all affected versions.

Atlassian Confluence XXE Crowd
NVD VulDB
CVSS 3.0
7.9
EPSS
0.1%
CVE-2025-8285 Go MEDIUM PATCH Monitor

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to create channel subscription without proper access to the channel via API. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Atlassian Confluence Suse
NVD
CVSS 3.1
4.0
EPSS
0.0%
CVE-2025-54525 Go HIGH PATCH This Month

Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to create channel subscription endpoint with an invalid. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Atlassian Denial Of Service Confluence Suse
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-54478 Go HIGH PATCH This Month

Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to edit channel subscriptions via API call to. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Atlassian Confluence Suse
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-54463 Go MEDIUM PATCH This Month

Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Atlassian Denial Of Service Confluence Suse
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-54458 Go MEDIUM PATCH This Month

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to create a subscription for a Confluence space the user does not have. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Atlassian Confluence Suse
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-53910 Go MEDIUM PATCH Monitor

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to create a channel subscription without proper access to the channel via API. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Atlassian Confluence Suse
NVD
CVSS 3.1
4.0
EPSS
0.0%
CVE-2025-53857 Go LOW PATCH Monitor

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Atlassian Confluence
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-53514 Go MEDIUM PATCH This Month

Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Atlassian Denial Of Service Confluence Suse
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-52931 Go HIGH PATCH This Month

Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to update channel subscription endpoint with an invalid. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Atlassian Denial Of Service Confluence Suse
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-49221 Go LOW PATCH Monitor

Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to access subscription details without via. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Atlassian Confluence
NVD
CVSS 3.1
3.7
EPSS
0.1%
CVE-2025-48731 Go MEDIUM PATCH This Month

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to edit a subscription for a Confluence space the user does not have. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Atlassian Confluence Suse
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-44004 Go HIGH PATCH This Month

Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to create a channel subscription without proper. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Atlassian Confluence Suse
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-44001 Go MEDIUM PATCH Monitor

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Atlassian Confluence Suse
NVD
CVSS 3.1
4.0
EPSS
0.0%
CVE-2020-4027 MEDIUM PATCH This Month

Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity.

Atlassian Authentication Bypass Confluence Confluence Server
NVD
CVSS 3.1
4.7
EPSS
1.5%
CVE-2019-15006 MEDIUM PATCH This Month

There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required.

Atlassian Information Disclosure Confluence Confluence Server
NVD
CVSS 3.1
6.5
EPSS
1.9%
CVE-2019-15005 MEDIUM This Month

The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Atlassian Troubleshooting And Support Bamboo Bitbucket +5
NVD
CVSS 3.1
4.3
EPSS
1.3%
CVE-2019-3394 HIGH PATCH This Week

There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Atlassian Path Traversal Confluence Confluence Server
NVD
CVSS 3.0
8.8
EPSS
11.4%
CVE-2019-3395 CRITICAL PATCH Act Now

The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Atlassian SSRF Confluence Confluence Server
NVD
CVSS 3.0
9.8
EPSS
6.7%
CVE-2018-13389 MEDIUM PATCH This Month

The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Mozilla Atlassian Information Disclosure Confluence
NVD
CVSS 3.0
4.7
EPSS
1.0%
CVE-2017-16856 MEDIUM This Month

The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) vulnerabilities in various rss properties. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Atlassian Confluence
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2017-9505 MEDIUM POC This Month

Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Atlassian Privilege Escalation Confluence
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2016-4317 MEDIUM This Month

Atlassian Confluence Server before 5.9.11 has XSS on the viewmyprofile.action page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Atlassian Confluence
NVD
CVSS 3.0
5.4
EPSS
0.2%
CVE-2016-6283 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.10.6 allows remote attackers to inject arbitrary web script or HTML via the newFileName parameter to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Atlassian Confluence
NVD Exploit-DB VulDB
CVSS 3.0
6.1
EPSS
3.0%
CVE-2015-8399 MEDIUM POC THREAT This Month

Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 93.0%.

Atlassian Information Disclosure Confluence
NVD Exploit-DB
CVSS 3.0
4.3
EPSS
93.0%
Threat
5.2
CVE-2015-8398 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.8.17 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to rest/prototype/1/session/check. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Atlassian Confluence
NVD Exploit-DB
CVSS 3.0
6.1
EPSS
0.5%
CVE-2012-2926 CRITICAL POC PATCH THREAT Act Now

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 67.6%.

Denial Of Service Atlassian Bamboo Confluence Confluence Server +4
NVD Exploit-DB
CVSS 3.1
9.1
EPSS
67.6%
Threat
5.3
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via sending a specially crafted OAuth2 connection link that, when visited, renders the attacker's display name without proper sanitization. [CVSS 7.7 HIGH]

Confluence Suse
NVD
EPSS 0% CVSS 7.9
HIGH This Week

XXE injection in Atlassian Crowd Data Center and Server 7.1.0+ enables authenticated attackers to read local and remote files, significantly compromising confidentiality and availability. The vulnerability requires high privileges to exploit but accepts no user interaction, affecting multiple Crowd versions until patching to 7.1.3 or later. No patch is currently available for all affected versions.

Atlassian Confluence XXE +1
NVD VulDB
EPSS 0% CVSS 4.0
MEDIUM PATCH Monitor

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to create channel subscription without proper access to the channel via API. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Atlassian Confluence +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Month

Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to create channel subscription endpoint with an invalid. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Atlassian Denial Of Service Confluence +1
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Month

Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to edit channel subscriptions via API call to. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Atlassian Confluence +1
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Atlassian Denial Of Service Confluence +1
NVD
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to create a subscription for a Confluence space the user does not have. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Atlassian Confluence +1
NVD
EPSS 0% CVSS 4.0
MEDIUM PATCH Monitor

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to create a channel subscription without proper access to the channel via API. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Atlassian Confluence +1
NVD
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Atlassian Confluence
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Atlassian Denial Of Service Confluence +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Month

Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to update channel subscription endpoint with an invalid. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Atlassian Denial Of Service Confluence +1
NVD
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to access subscription details without via. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Atlassian Confluence
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to edit a subscription for a Confluence space the user does not have. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Atlassian Confluence +1
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Month

Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to create a channel subscription without proper. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Atlassian Confluence +1
NVD
EPSS 0% CVSS 4.0
MEDIUM PATCH Monitor

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Atlassian Confluence +1
NVD
EPSS 2% CVSS 4.7
MEDIUM PATCH This Month

Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity.

Atlassian Authentication Bypass Confluence +1
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required.

Atlassian Information Disclosure Confluence +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Atlassian Troubleshooting And Support +7
NVD
EPSS 11% CVSS 8.8
HIGH PATCH This Week

There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Atlassian Path Traversal Confluence +1
NVD
EPSS 7% CVSS 9.8
CRITICAL PATCH Act Now

The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Atlassian SSRF Confluence +1
NVD
EPSS 1% CVSS 4.7
MEDIUM PATCH This Month

The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Mozilla Atlassian Information Disclosure +1
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) vulnerabilities in various rss properties. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Atlassian Confluence
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Atlassian Privilege Escalation Confluence
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Atlassian Confluence Server before 5.9.11 has XSS on the viewmyprofile.action page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Atlassian Confluence
NVD
EPSS 3% CVSS 6.1
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.10.6 allows remote attackers to inject arbitrary web script or HTML via the newFileName parameter to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Atlassian Confluence
NVD Exploit-DB VulDB
EPSS 93% 5.2 CVSS 4.3
MEDIUM POC THREAT This Month

Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 93.0%.

Atlassian Information Disclosure Confluence
NVD Exploit-DB
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.8.17 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to rest/prototype/1/session/check. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Atlassian Confluence
NVD Exploit-DB
EPSS 68% 5.3 CVSS 9.1
CRITICAL POC PATCH THREAT Act Now

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 67.6%.

Denial Of Service Atlassian Bamboo +6
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy