This page lists publicly disclosed CVE vulnerabilities affecting atlassian confluence (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2020-4027 | Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. The affected versions are before version 7.4.5, and from version 7.5.0 before 7.5.1. | [email protected] | 4.7 | 0.15% | 2020-07-01 | 2024-11-21 |
| CVE-2019-20406 | The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, and from version 7.1.0 before version 7.1.1 allows local system attackers who have permission to write a DLL file in a directory in the global path environmental variable variable to inject code & escalate their privileges via a DLL hijacking vulnerability. | [email protected] | 7.8 | 0.15% | 2020-02-06 | 2024-11-21 |
| CVE-2019-15006 | There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. This plugin was used to facilitate communication with the Atlassian Companion application. The Confluence Previews plugin in Confluence Server and Confluence Data Center communicated with the Companion application via the atlassian-domain-for-localhost-connections-only.com domain name, the DNS A record of which points at 127.0.0.1. Additionally, a signed c | [email protected] | 6.5 | 7.64% | 2019-12-19 | 2024-11-21 |
| CVE-2019-15005 | The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / | [email protected] | 4.3 | 0.21% | 2019-11-08 | 2024-11-21 |
| CVE-2019-3394 | There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. An attacker with permission to editing a page is able to exploit this issue to read arbitrary file on the server under <install-directory>/confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potential | [email protected] | 8.8 | 75.77% | 2019-08-29 | 2024-11-21 |
| CVE-2019-3395 | The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery. | [email protected] | 9.8 | 8.04% | 2019-03-25 | 2024-11-21 |
| CVE-2018-13389 | The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of application/rdf+xml. | [email protected] | 4.7 | 0.17% | 2018-07-10 | 2024-11-21 |
| CVE-2017-18086 | Various resources in Atlassian Confluence Server before version 6.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuesURL parameter. | [email protected] | 6.1 | 0.20% | 2018-02-02 | 2024-11-21 |
| CVE-2017-18085 | The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the key parameter. | [email protected] | 6.1 | 0.20% | 2018-02-02 | 2024-11-21 |
| CVE-2017-18084 | The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the description of a macro. | [email protected] | 4.8 | 0.14% | 2018-02-02 | 2024-11-21 |
| CVE-2017-18083 | The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of an uploaded file. | [email protected] | 5.4 | 0.20% | 2018-02-02 | 2024-11-21 |
| CVE-2017-16856 | The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) vulnerabilities in various rss properties which were used as links without restriction on their scheme. | [email protected] | 6.1 | 0.20% | 2017-12-05 | 2026-05-13 |
| CVE-2017-9505 | Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself. | [email protected] | 4.3 | 0.39% | 2017-06-15 | 2026-05-13 |
| CVE-2016-4317 | Atlassian Confluence Server before 5.9.11 has XSS on the viewmyprofile.action page. | [email protected] | 5.4 | 0.18% | 2017-04-10 | 2026-05-13 |
| CVE-2016-6283 | Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.10.6 allows remote attackers to inject arbitrary web script or HTML via the newFileName parameter to pages/doeditattachment.action. | [email protected] | 6.1 | 4.15% | 2017-01-18 | 2026-05-13 |
| CVE-2015-8399 | Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action. | [email protected] | 4.3 | 93.25% | 2016-04-11 | 2026-05-06 |
| CVE-2015-8398 | Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.8.17 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to rest/prototype/1/session/check. | [email protected] | 6.1 | 0.52% | 2016-04-11 | 2026-05-06 |
| CVE-2012-2926 | Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspe | [email protected] | 9.1 | 64.53% | 2012-05-22 | 2026-04-29 |
| CVE-2005-3967 | Cross-site scripting (XSS) vulnerability in the dosearchsite.action module in Atlassian Confluence 2.0.1 Build 321 allows remote attackers to inject arbitrary web script or HTML via the searchQuery.queryString search module parameter. | [email protected] | 4.3 | 0.40% | 2005-12-03 | 2026-04-16 |