5
CVEs
1
Critical
2
High
0
KEV
0
PoC
0
Unpatched C/H
80.0%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
1
HIGH
2
MEDIUM
2
LOW
0
Monthly CVE Trend
Affected Products (30)
Jira Server
88
Jira
83
Jira Data Center
44
Confluence Server
31
Crucible
30
Fisheye
30
Confluence
27
Data Center
24
Jira Software Data Center
23
Confluence Data Center
22
Java
16
Bamboo
13
Crowd
11
Jira Service Desk
10
Bitbucket
9
Jira Service Management
8
Open Redirect
7
In App Desktop Notifications
4
Mattermost
4
S Notify
4
Mattermost Server
4
Jira Pipeline Steps
4
Pro Macros
4
Bitbucket Data Center
3
Sourcetree
3
Questions For Confluence
3
Secure Login
3
Zephyr For Jira Test Management
3
Ofbiz
3
Companion
3
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-44179 | Remote code execution in XWiki Pro Macros (com.xwiki.pro:xwiki-pro-macros) versions >=1.13 and <1.14.5 allows any authenticated user with page-edit rights to execute arbitrary Groovy code via the excerpt-include macro, which fails to escape the included page's title and renders excerpt content with the macro's elevated rights. A working proof-of-concept is published in the GHSA advisory demonstrating injection through both a crafted page title and excerpt body. No public exploit identified at time of analysis as actively used, but the publicly available exploit code exists in the advisory itself. | CRITICAL | 9.9 | – | 50 |
|
| CVE-2026-12225 | Two-factor authentication bypass in syracom AG Secure Login (2FA) plugin 3.4.0.x for Atlassian Jira, Confluence, and Bitbucket allows an attacker holding valid first-factor credentials to skip the 2FA challenge entirely by injecting strings like 'AtlassianMobileApp' or 'JIRA' into the HTTP User-Agent header. The plugin treats such requests as mobile-app traffic and waives 2FA enforcement on protected web resources, effectively neutralizing the security control the plugin exists to provide. No public exploit identified at time of analysis, but the technique is trivial to reproduce from the public advisory text. | HIGH | 8.7 | 0.4% | 44 |
|
| CVE-2026-6673 | Missing authentication on the Atlassian Connect install callback in Mattermost allows a remote attacker to inject a rogue sharedSecret into an in-progress Jira integration setup. Affected versions span the 10.11.x, 11.5.x, 11.6.x, and 11.7.x release trains, all of which expose the POST /ac/installed endpoint without validating the caller's identity during the pending-install window. No public exploit has been identified at time of analysis, but a successful injection corrupts the integration's trust handshake, yielding high integrity and availability impact against the Jira connection. The vendor CVSS vector assigns PR:L, which conflicts with the description's 'remote unauthenticated attacker' language - this discrepancy warrants direct verification with Mattermost advisory MMSA-2026-00654. | MEDIUM | 6.4 | 0.2% | 32 |
No patch
|
| CVE-2026-48206 | Authorization bypass in Apache Camel's camel-jira component (versions 4.0.0 through pre-4.21.0) allows unauthenticated HTTP clients - in routes that bridge an HTTP consumer to a jira: producer - to drive arbitrary JIRA issue operations using the endpoint's configured service-account credentials, including deleting or transitioning issues, creating issues in unauthorized projects, modifying fields, and manipulating watchers. The root cause is that JIRA control header constants (IssueKey, ProjectKey, IssueTransitionId, linkType, and others) use non-Camel-prefixed string values, bypassing the HttpHeaderFilterStrategy which only guards the 'Camel/'/'camel' header namespace at the HTTP boundary. Fixes are confirmed in 4.14.8, 4.18.3, and 4.21.0; no public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV. | MEDIUM | 5.3 | 0.2% | 27 |
|
| CVE-2026-34151 | Path traversal in XWiki running on Jetty 12+ lets remote users read arbitrary files the Jetty process can access by sending doubly URL-encoded '../' sequences to the skin resource endpoint (e.g. /xwiki/bin/skin/..%252f/..). Depending on how deep the webapp sits below root, this exposes both in-webapp secrets such as WEB-INF/xwiki.cfg and Hibernate configuration, and out-of-webapp OS files like /etc/passwd. No public exploit or active exploitation is tracked, but the vendor advisory (GHSA-qj4x-9g63-25g6) itself publishes working request URLs, so weaponization is trivial. | HIGH | – | – | – |
|