22
CVEs
5
Critical
12
High
0
KEV
2
PoC
4
Unpatched C/H
77.3%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
5
HIGH
12
MEDIUM
5
LOW
0
Monthly CVE Trend
Affected Products (30)
Jira Server
88
Jira
83
Jira Data Center
44
Confluence Server
31
Crucible
30
Fisheye
30
Confluence
27
Data Center
24
Jira Software Data Center
23
Confluence Data Center
22
Java
16
Bamboo
13
Crowd
11
Jira Service Desk
10
Bitbucket
9
Jira Service Management
8
Open Redirect
7
In App Desktop Notifications
4
Mattermost
4
S Notify
4
Mattermost Server
4
Jira Pipeline Steps
4
Pro Macros
4
Bitbucket Data Center
3
Sourcetree
3
Questions For Confluence
3
Secure Login
3
Zephyr For Jira Test Management
3
Ofbiz
3
Companion
3
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-40858 | The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.O | HIGH | 8.8 | 0.1% | 64 |
PoC
|
| CVE-2026-27826 | Unauthenticated attackers can abuse the MCP Atlassian server to perform arbitrary outbound HTTP requests by manipulating HTTP headers, enabling credential theft from cloud instance metadata endpoints or internal network reconnaissance without requiring authentication. The vulnerability exists in the HTTP middleware layer prior to version 0.17.0, affecting Atlassian Confluence and Jira deployments. No patch is currently available. | HIGH | 8.2 | 0.0% | 61 |
PoC
|
| CVE-2026-41103 | Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence allows an unauthorized attacker to elevate priv | CRITICAL | 9.1 | 0.1% | 51 |
|
| CVE-2026-42864 | Server-side request forgery combined with missing authentication in firefighter-incident Python package allows unauthenticated remote attackers to exfiltrate AWS IAM credentials from cloud metadata endpoints. The `/api/v2/firefighter/raid/jira_bot` endpoint accepts arbitrary URLs in the `attachments` parameter, fetches them server-side without validation, and uploads responses as Jira attachments — enabling SSRF against internal services including `http://169.254.169.254/` (AWS EC2 Instance Metadata Service). Vendor-released patch (version 0.0.54) enforces authentication and validates attachment URLs to block private/link-local/loopback addresses. No public exploit identified at time of analysis, but exploitation is trivial given detailed advisory with exact vulnerable code paths. | CRITICAL | 9.9 | 0.1% | 50 |
|
| CVE-2026-44179 | Remote code execution in XWiki Pro Macros (com.xwiki.pro:xwiki-pro-macros) versions >=1.13 and <1.14.5 allows any authenticated user with page-edit rights to execute arbitrary Groovy code via the excerpt-include macro, which fails to escape the included page's title and renders excerpt content with the macro's elevated rights. A working proof-of-concept is published in the GHSA advisory demonstrating injection through both a crafted page title and excerpt body. No public exploit identified at time of analysis as actively used, but the publicly available exploit code exists in the advisory itself. | CRITICAL | 9.9 | – | 50 |
|
| CVE-2026-21571 | Remote code execution in Atlassian Bamboo Data Center versions 9.6.0 through 12.1.0 allows authenticated attackers to execute arbitrary OS commands via command injection vulnerability. The attack requires low-privilege authentication (PR:L) but no user interaction, enabling complete system compromise across confidentiality, integrity, and availability with cross-scope impact (SC:H/SI:H/SA:H indicating container escape or lateral movement potential). Atlassian has released patches for three major version branches (9.6.25, 10.2.18, 12.1.6). No active exploitation confirmed in CISA KEV at time of analysis, though the authenticated nature and critical CVSS 9.4 score warrant immediate patching for internet-exposed instances with broad user access. | CRITICAL | 9.4 | 1.1% | 48 |
No patch
|
| CVE-2026-27825 | MCP Atlassian server has a path traversal vulnerability enabling unauthorized access to Confluence and Jira data outside the intended scope. | CRITICAL | 9.0 | 0.0% | 45 |
|
| CVE-2026-2370 | Improper authorization in GitLab CE/EE Jira Connect integration allows authenticated users with minimal workspace permissions to steal installation credentials and impersonate the GitLab application. Affects versions 14.3 through 18.8.6, 18.9.0-18.9.2, and 18.10.0. Vendor-released patches available in versions 18.8.7, 18.9.3, and 18.10.1. High CVSS score (8.1) reflects significant confidentiality and integrity impact with low attack complexity. No public exploit identified at time of analysis, though detailed disclosure exists via HackerOne report. | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2026-12225 | Two-factor authentication bypass in syracom AG Secure Login (2FA) plugin 3.4.0.x for Atlassian Jira, Confluence, and Bitbucket allows an attacker holding valid first-factor credentials to skip the 2FA challenge entirely by injecting strings like 'AtlassianMobileApp' or 'JIRA' into the HTTP User-Agent header. The plugin treats such requests as mobile-app traffic and waives 2FA enforcement on protected web resources, effectively neutralizing the security control the plugin exists to provide. No public exploit identified at time of analysis, but the technique is trivial to reproduce from the public advisory text. | HIGH | 8.7 | 0.4% | 44 |
|
| CVE-2026-21570 | Remote code execution in Atlassian Bamboo Data Center versions 9.6.0 through 12.1.0 allows authenticated attackers with high privileges to execute arbitrary code on affected systems with a CVSS score of 8.6. The vulnerability impacts multiple major versions with no patch currently available, requiring immediate upgrade to patched releases such as 9.6.24, 10.2.16, or 12.1.3. Organizations unable to upgrade should prioritize access controls for high-privileged accounts until remediation is possible. | HIGH | 8.6 | 0.6% | 44 |
No patch
|
| CVE-2025-58175 | Server-Side Request Forgery in GeoServer 2.26.x prior to 2.26.4 and 2.27.x prior to 2.27.3 allows unauthenticated remote attackers to coerce the server into issuing HTTP requests to attacker-chosen destinations by abusing weak prefix matching of the proxy base URL inside the XML entity resolver. No public exploit identified at time of analysis, and EPSS exploitation probability sits at 0.06% (19th percentile), but the trivial network-only attack vector and default-enabled ENTITY_RESOLUTION_ALLOWLIST since 2.25.0 raise the realistic exposure for internet-facing instances. | HIGH | 8.2 | 0.1% | 41 |
|
| CVE-2026-21569 | XXE injection in Atlassian Crowd Data Center and Server 7.1.0+ enables authenticated attackers to read local and remote files, significantly compromising confidentiality and availability. The vulnerability requires high privileges to exploit but accepts no user interaction, affecting multiple Crowd versions until patching to 7.1.3 or later. No patch is currently available for all affected versions. | HIGH | 7.9 | 0.1% | 40 |
No patch
|
| CVE-2026-31944 | LibreChat versions 0.8.2 through 0.8.2-rc3 contain an authentication bypass vulnerability in the Model Context Protocol (MCP) OAuth callback endpoint that allows attackers to steal OAuth tokens by tricking victims into completing an OAuth flow, resulting in account takeover of the victim's MCP-linked services like Atlassian and Outlook. No active exploitation is known (not in KEV), no POC is publicly available, and EPSS data is not yet available for this newly disclosed vulnerability. | HIGH | 7.6 | 0.0% | 38 |
No patch
|
| CVE-2026-48048 | Information disclosure in XWiki Platform's LiveTableResults macro allows unauthenticated remote attackers to reconstruct user password hashes and salts one bit at a time by sending approximately 768 crafted requests with manipulated class-per-property parameters. This is a bypass of the prior fix for GHSA-5cf8-vrr8-8hjm, which failed to account for an alternate parameter path. No public exploit is identified at time of analysis, but the technique is fully described in the vendor advisory. | HIGH | 7.5 | 0.0% | 38 |
|
| CVE-2025-27511 | Remote code execution in GeoServer (versions prior to 2.27.0) with the DB2 extension installed allows authenticated administrators to perform a JNDI injection attack via a crafted DB2 JDBC connection URL submitted through the Vector Data Sources page, ultimately triggering Java deserialization of untrusted data and arbitrary code execution. No public exploit identified at time of analysis, and the vulnerability is not on CISA KEV, but the attack pattern follows well-known JNDI/Log4Shell-style RCE techniques. Risk is meaningful only where the DB2 extension is deployed and an administrative account is reachable. | HIGH | 7.2 | 0.4% | 36 |
|