VDB

CVE-2026-22029

CVE-2026-22029 PUBLISHED CVSS 8 HIGH

This High severity DOM-based XSS vulnerability was introduced in versions 9.0.1, 9.0.3, 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This DOM-based XSS vulnerability, with a CVSS Score of 8 and a CVSS Vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center 9.2: Upgrade to a release greater than or equal to 9.2.19 * Confluence Data Center 10.2: Upgrade to a release greater than or equal to 10.2.10 See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center from the download center (https://www.atlassian.com/software/confluence/download-archives). The National Vulnerability Database provides the following description for this vulnerability: React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.

EPSS 0.02% · 5.3th percentile

Risk Scores

CVSS 3.1
8
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score
0.02%
5.3th percentile

Affected Products

VendorProductVersions
AtlassianJira Software Data Center
AtlassianConfluence Data Center
AtlassianJira Service Management Data Center
AtlassianCrowd Data Center

Timeline

  • Jan 8, 2026 CVE Published
  • Jan 10, 2026 EPSS Score
  • Jan 13, 2026 EPSS Score
  • Jan 16, 2026 EPSS Score
  • Jan 19, 2026 EPSS Score
  • Jan 22, 2026 EPSS Score
  • Jan 26, 2026 EPSS Score
  • Jan 29, 2026 EPSS Score
  • Feb 1, 2026 EPSS Score
  • Feb 4, 2026 EPSS Score
  • Feb 7, 2026 EPSS Score
  • Feb 10, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›