Skip to main content

Atlassian

Vendor security scorecard – 5 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 18
5
CVEs
1
Critical
2
High
0
KEV
0
PoC
0
Unpatched C/H
80.0%
Patch Rate
0.2%
Avg EPSS

Severity Breakdown

CRITICAL
1
HIGH
2
MEDIUM
2
LOW
0

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-44179 Remote code execution in XWiki Pro Macros (com.xwiki.pro:xwiki-pro-macros) versions >=1.13 and <1.14.5 allows any authenticated user with page-edit rights to execute arbitrary Groovy code via the excerpt-include macro, which fails to escape the included page's title and renders excerpt content with the macro's elevated rights. A working proof-of-concept is published in the GHSA advisory demonstrating injection through both a crafted page title and excerpt body. No public exploit identified at time of analysis as actively used, but the publicly available exploit code exists in the advisory itself. CRITICAL 9.9 &ndash; 50
CVE-2026-12225 Two-factor authentication bypass in syracom AG Secure Login (2FA) plugin 3.4.0.x for Atlassian Jira, Confluence, and Bitbucket allows an attacker holding valid first-factor credentials to skip the 2FA challenge entirely by injecting strings like 'AtlassianMobileApp' or 'JIRA' into the HTTP User-Agent header. The plugin treats such requests as mobile-app traffic and waives 2FA enforcement on protected web resources, effectively neutralizing the security control the plugin exists to provide. No public exploit identified at time of analysis, but the technique is trivial to reproduce from the public advisory text. HIGH 8.7 0.4% 44
CVE-2026-6673 Missing authentication on the Atlassian Connect install callback in Mattermost allows a remote attacker to inject a rogue sharedSecret into an in-progress Jira integration setup. Affected versions span the 10.11.x, 11.5.x, 11.6.x, and 11.7.x release trains, all of which expose the POST /ac/installed endpoint without validating the caller's identity during the pending-install window. No public exploit has been identified at time of analysis, but a successful injection corrupts the integration's trust handshake, yielding high integrity and availability impact against the Jira connection. The vendor CVSS vector assigns PR:L, which conflicts with the description's 'remote unauthenticated attacker' language - this discrepancy warrants direct verification with Mattermost advisory MMSA-2026-00654. MEDIUM 6.4 0.2% 32
No patch
CVE-2026-48206 Authorization bypass in Apache Camel's camel-jira component (versions 4.0.0 through pre-4.21.0) allows unauthenticated HTTP clients - in routes that bridge an HTTP consumer to a jira: producer - to drive arbitrary JIRA issue operations using the endpoint's configured service-account credentials, including deleting or transitioning issues, creating issues in unauthorized projects, modifying fields, and manipulating watchers. The root cause is that JIRA control header constants (IssueKey, ProjectKey, IssueTransitionId, linkType, and others) use non-Camel-prefixed string values, bypassing the HttpHeaderFilterStrategy which only guards the 'Camel/'/'camel' header namespace at the HTTP boundary. Fixes are confirmed in 4.14.8, 4.18.3, and 4.21.0; no public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV. MEDIUM 5.3 0.2% 27
CVE-2026-34151 Path traversal in XWiki running on Jetty 12+ lets remote users read arbitrary files the Jetty process can access by sending doubly URL-encoded '../' sequences to the skin resource endpoint (e.g. /xwiki/bin/skin/..%252f/..). Depending on how deep the webapp sits below root, this exposes both in-webapp secrets such as WEB-INF/xwiki.cfg and Hibernate configuration, and out-of-webapp OS files like /etc/passwd. No public exploit or active exploitation is tracked, but the vendor advisory (GHSA-qj4x-9g63-25g6) itself publishes working request URLs, so weaponization is trivial. HIGH &ndash; &ndash; &ndash;

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy