CVE-2021-26078

MEDIUM

Atlassian Jira < 8.5.14, 8.6.0-8.13.6, 8.14.0-8.16.0 - Cross-Site Scripting in Number Range Searcher

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-26078. PoCs published by Captain_hook.

AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in Atlassian Jira Server/Data Center. The vulnerability is triggered via a crafted JQL query that injects arbitrary JavaScript into the 'Story Points' custom field when the search template is set to 'number range searcher'.

Description

The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.

Exploits (1)

exploitdb WORKING POC

by Captain_hook · textwebappsmacos

https://www.exploit-db.com/exploits/50068

View Code ZIP pw:eip

This exploit demonstrates a reflected XSS vulnerability in Atlassian Jira Server/Data Center. The vulnerability is triggered via a crafted JQL query that injects arbitrary JavaScript into the 'Story Points' custom field when the search template is set to 'number range searcher'.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Atlassian Jira Server/Data Center versions < 8.5.14, 8.6.0 ≤ version < 8.13.6, 8.14.0 ≤ version < 8.16.1

Auth required

Prerequisites: Jira instance with 'Story Points' custom field configured to use 'number range searcher' · Low-privilege user account to execute the JQL query

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Vendor Advisory x_refsource_misc

https://jira.atlassian.com/browse/JRASERVER-72392

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/163289/Atlassian-Jira-Server-Data-Center-8.16.0-Cross-Site-Scripting.html

Scores

CVSS v3 6.1

EPSS 0.0384

EPSS Percentile 88.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

atlassian/data_center < 8.5.14

atlassian/jira < 8.5.14

atlassian/jira_server 8.6.0 - 8.13.6

Published Jun 07, 2021

Tracked Since Feb 18, 2026