CVE-2019-11581

CRITICAL KEV NUCLEI

Jira Server/Data Center <7.6.14, <7.13.5, <8.0.3, <8.1.2, <8.2.3 - RCE

Title source: llm

Exploitation Summary

CVE-2019-11581 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 7, 2022. EIP tracks 4 public exploits from researchers including jas502n, kobs0N, PetrusViet. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2019-11581, a template injection vulnerability in Atlassian JIRA that allows remote code execution (RCE). It includes payload examples, HTTP request formats, and step-by-step exploitation details for both authenticated and unauthenticated attack vectors.

Description

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.

Exploits (4)

nomisec WRITEUP 92 stars

by jas502n · remote

https://github.com/jas502n/CVE-2019-11581

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2019-11581, a template injection vulnerability in Atlassian JIRA that allows remote code execution (RCE). It includes payload examples, HTTP request formats, and step-by-step exploitation details for both authenticated and unauthenticated attack vectors.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Atlassian JIRA (versions 4.4.x to 8.2.x before fixes)

No auth needed

Prerequisites: Access to the JIRA instance · Contact Administrators form enabled for unauthenticated exploitation

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 10 stars

by kobs0N · remote

https://github.com/kobs0N/CVE-2019-11581

View Code ZIP pw:eip

This repository contains a functional Python script that exploits CVE-2019-11581, a remote code execution vulnerability in Atlassian JIRA. The script automates the exploitation process by handling CSRF tokens and sending a crafted payload to execute arbitrary commands.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Atlassian JIRA

No auth needed

Prerequisites: Access to the JIRA instance · Python environment with required libraries

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WRITEUP 6 stars

by PetrusViet · remote

https://github.com/PetrusViet/CVE-2019-11581

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2019-11581, an unauthenticated template injection vulnerability in Atlassian Jira. It includes a step-by-step breakdown of the exploit chain, debugging setup, and code execution flow, but does not contain functional exploit code.

Classification

Writeup 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: Atlassian Jira (versions 4.4.x to 8.2.x, excluding patched versions)

No auth needed

Prerequisites: Access to Jira instance with Contact Administrators Form enabled · Debugging environment setup

MITRE ATT&CK

T1221 - Template Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/r0hack/RCE-in-Jira

View Code ZIP pw:eip

The repository provides a functional exploit for CVE-2019-11581, demonstrating RCE in Atlassian Jira via FreeMarker template injection. The payload leverages Java reflection to execute arbitrary commands, requiring the 'Contact Admin' form to be enabled.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Atlassian Jira (versions 4.4.x to 8.2.x before patches)

No auth needed

Prerequisites: Contact Admin form enabled · Network access to Jira instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

Atlassian Jira Server-Side Template Injection

CRITICALby ree4pwn

Shodan:

http.component:"Atlassian Jira" || http.component:"atlassian jira" || http.component:"atlassian confluence" || cpe:"cpe:2.3:a:atlassian:jira"

References (2)

Core 2

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11581

Issue Tracking, Vendor Advisory x_refsource_misc

https://jira.atlassian.com/browse/JRASERVER-69532

Scores

CVSS v3 9.8

EPSS 0.9435

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2022-03-07

VulnCheck KEV 2021-01-01

InTheWild.io 2022-03-07

ENISA EUVD EUVD-2019-3251

CWE

CWE-74

Status published

Products (1)

atlassian/jira_server 4.4 - 7.6.14

Published Aug 09, 2019

KEV Added Mar 07, 2022

Tracked Since Feb 18, 2026