CVE-2021-26078

MEDIUM

Atlassian Data Center < 8.5.14 - XSS

Title source: rule

Description

The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.

Exploits (1)

exploitdb WORKING POC

by Captain_hook · textwebappsmacos

https://www.exploit-db.com/exploits/50068

View Code ZIP pw:eip

References (2)

[Patch, Vendor Advisory] https://jira.atlassian.com/browse/JRASERVER-72392

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/163289/Atlassian-Jira-Server-Data-Center-8.16.0-Cross-Site-Scripting.html

Scores

CVSS v3 6.1

EPSS 0.0056

EPSS Percentile 68.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

atlassian/data_center < 8.5.14

atlassian/jira < 8.5.14

atlassian/jira_server 8.6.0 - 8.13.6

Published Jun 07, 2021

Tracked Since Feb 18, 2026