EIP-2026-102459
PRE-CVEAtlassian JIRA FishEye 2.5.7 / Crucible 2.5.7 Plugins - XML Parsing Security
Title source: legacyExploitation Summary
EIP tracks 1 public exploit for EIP-2026-102459. PoCs published by anonymous.
AI-analyzed exploit summary This exploit leverages an XXE (XML External Entity) vulnerability in FishEye and Crucible plugins for JIRA to disclose local sensitive files. The crafted XML payload includes an external entity reference to '/etc/passwd', demonstrating file disclosure.
Description
Atlassian JIRA FishEye 2.5.7 / Crucible 2.5.7 Plugins - XML Parsing Security
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by anonymous · textwebappsjsp
https://www.exploit-db.com/exploits/37221
This exploit leverages an XXE (XML External Entity) vulnerability in FishEye and Crucible plugins for JIRA to disclose local sensitive files. The crafted XML payload includes an external entity reference to '/etc/passwd', demonstrating file disclosure.
Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target:
FishEye and Crucible plugins for JIRA (versions up to and including 2.7.11)
No auth needed
Prerequisites:
Network access to the vulnerable JIRA instance · Ability to send crafted XML payloads to the '/crowd/services/test' endpoint
mistral-large-3 · analyzed Feb 16, 2026
Full analysis →
Details
Status
pre_cve
Tracked Since
Feb 18, 2026