Skip to main content

Crowd

11 CVEs product

Monthly

CVE-2026-21569 HIGH This Week

XXE injection in Atlassian Crowd Data Center and Server 7.1.0+ enables authenticated attackers to read local and remote files, significantly compromising confidentiality and availability. The vulnerability requires high privileges to exploit but accepts no user interaction, affecting multiple Crowd versions until patching to 7.1.3 or later. No patch is currently available for all affected versions.

Atlassian Confluence XXE Crowd
NVD VulDB
CVSS 3.0
7.9
EPSS
0.1%
CVE-2023-22521 HIGH This Week

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 3.4.6 of Crowd Data Center and Server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Atlassian Crowd
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2022-43782 CRITICAL PATCH Act Now

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Atlassian Crowd
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-26137 HIGH PATCH This Week

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Atlassian Bamboo Bitbucket Confluence Data Center +8
NVD
CVSS 3.1
8.8
EPSS
1.9%
CVE-2022-26136 CRITICAL PATCH Act Now

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Atlassian XSS Bamboo Bitbucket +9
NVD
CVSS 3.1
9.8
EPSS
4.2%
CVE-2019-15005 MEDIUM This Month

The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Atlassian Troubleshooting And Support Bamboo Bitbucket +5
NVD
CVSS 3.1
4.3
EPSS
1.3%
CVE-2019-11580 CRITICAL POC KEV THREAT Emergency

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Atlassian RCE Crowd
NVD
CVSS 3.1
9.8
EPSS
95.4%
CVE-2016-6496 CRITICAL Act Now

The LDAP directory connector in Atlassian Crowd before 2.8.8 and 2.9.x before 2.9.5 allows remote attackers to execute arbitrary code via an LDAP attribute with a crafted serialized Java object, aka. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Atlassian RCE Java Crowd
NVD
CVSS 3.0
9.8
EPSS
2.9%
CVE-2013-3926 HIGH POC This Week

Atlassian Crowd 2.6.3 allows remote attackers to execute arbitrary commands via unspecified vectors related to a "symmetric backdoor." NOTE: as of 20130704, the vendor could not reproduce the issue,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Atlassian Crowd
NVD
CVSS 2.0
7.5
EPSS
1.0%
CVE-2013-3925 MEDIUM POC This Month

Atlassian Crowd 2.5.x before 2.5.4, 2.6.x before 2.6.3, 2.3.8, and 2.4.9 allows remote attackers to read arbitrary files and send HTTP requests to intranet servers via a request to (1) /services/2 or. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Atlassian XXE Crowd
NVD
CVSS 2.0
5.8
EPSS
0.3%
CVE-2012-2926 CRITICAL POC PATCH THREAT Act Now

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 67.6%.

Denial Of Service Atlassian Bamboo Confluence Confluence Server +4
NVD Exploit-DB
CVSS 3.1
9.1
EPSS
67.6%
Threat
5.3
EPSS 0% CVSS 7.9
HIGH This Week

XXE injection in Atlassian Crowd Data Center and Server 7.1.0+ enables authenticated attackers to read local and remote files, significantly compromising confidentiality and availability. The vulnerability requires high privileges to exploit but accepts no user interaction, affecting multiple Crowd versions until patching to 7.1.3 or later. No patch is currently available for all affected versions.

Atlassian Confluence XXE +1
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 3.4.6 of Crowd Data Center and Server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Atlassian Crowd
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Atlassian Crowd
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Atlassian Bamboo +10
NVD
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Atlassian XSS +11
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Atlassian Troubleshooting And Support +7
NVD
EPSS 95% CVSS 9.8
CRITICAL POC KEV THREAT Emergency

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Atlassian RCE Crowd
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

The LDAP directory connector in Atlassian Crowd before 2.8.8 and 2.9.x before 2.9.5 allows remote attackers to execute arbitrary code via an LDAP attribute with a crafted serialized Java object, aka. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Atlassian RCE Java +1
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

Atlassian Crowd 2.6.3 allows remote attackers to execute arbitrary commands via unspecified vectors related to a "symmetric backdoor." NOTE: as of 20130704, the vendor could not reproduce the issue,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Atlassian Crowd
NVD
EPSS 0% CVSS 5.8
MEDIUM POC This Month

Atlassian Crowd 2.5.x before 2.5.4, 2.6.x before 2.6.3, 2.3.8, and 2.4.9 allows remote attackers to read arbitrary files and send HTTP requests to intranet servers via a request to (1) /services/2 or. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Atlassian XXE Crowd
NVD
EPSS 68% 5.3 CVSS 9.1
CRITICAL POC PATCH THREAT Act Now

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 67.6%.

Denial Of Service Atlassian Bamboo +6
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy