ESB-2026.4002 — Vulnetix

ESB-2026.4002 PUBLISHED CVSS 10 CRITICAL

======================== AUSCERT ======================== AUSCERT ---------------- Product: Publisher: Atlassian Operating System: Windows Linux macOS Resolution: Patch/Upgrade CVE Names: Original Bulletin: https://confluence.at Comment: CVSS (Max): CVSS Source: Atlassian Calculator: EPSS (Max): Revision History: - --------------------------BEGIN April 2026 Security Bulletin The vulnerabilities vulnerabilities been fixed in new CVEs reported in non-critical risk Advisories for how our products Security Bulletin Vulnerabilities processes, and INSTRUCTIONS To fix all the patching your instances each product below. of April 21, 2026 for the most up-to-date versions. To search for CVEs vulnerabilities, +----------------------- | +----------+-----------+ |Product & | Affected | | Release | Versions | Notes | | +----------+-----------+ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | o 12.1.0 | | | to | | | 12.1.3 | | | (LTS) | | | o 12.0.0 | | | to | | | 12.0.2 | | | o 11.0.0 | | | to | | 11.0.8 | (LTS) |Bamboo | o 10.2.0 | |Data | to |Center and| 10.2.16| Only |Server | (LTS) | o 10.2.18 | | o 10.1.0 | | | to | | 10.1.1 | | | o 10.0.0 | | | to | | | 10.0.3 | | | o 9.6.2 | | | to | | | 9.6.24 | | | (LTS) | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +----------+-----------+ | | o 10.1.1 | | | to | | 10.1.5 | (LTS) |Bitbucket | o 10.0.1 | |Data | to |Center and| 10.0.2 | Only |Server | o 9.4.12 | | | to | | 9.4.17 | | | (LTS) | +----------+-----------+ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | o 10.2.0 | | | to | | | 10.2.7 | | | (LTS) | | | o 10.1.0 | | | to | | | 10.1.2 | | | o 10.0.2 | | | to | | | 10.0.3 | | | o 9.5.1 | | | to | | | 9.5.4 | o 10.2.10 | | o 9.4.0 | (LTS) |Confluence| to |Data | 9.4.1 | |Center and| o 9.3.1 | Only |Server | to | | 9.3.2 | | | o 9.2.0 | | | to | | | 9.2.17 | | | (LTS) | | | o 9.1.0 | | | to | | | 9.1.1 | | | o 9.0.1 | | | to | | | 9.0.3 | | | o 8.9.1 | | | to | | | 8.9.8 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +----------+-----------+ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | o 11.3.0 | | | to | | | 11.3.3 | | | (LTS) | | | o 10.7.1 | | | to | | | 10.7.4 | | | o 10.6.0 | | | to | | | 10.6.1 | | | o 10.5.0 | | | to | | | 10.5.1 | | | o 10.4.0 | | | to | | | 10.4.1 | | | o 10.3.0 | o 11.3.4 | | to |Jira Data | 10.3.18| |Center and| (LTS) | |Server | o 10.2.0 | Only | | to | | 10.2.1 | | | o 10.1.1 | | | to | | | 10.1.2 | | | o 10.0.0 | | | to | | | 10.0.1 | | | o 9.17.0 | | | to | | | 9.17.5 | | | o 9.16.0 | | | to | | | 9.16.1 | | | o 9.15.2 | | | o 9.12.8 | | | to | | | 9.12.33| | | (LTS) | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +----------+-----------+ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | o 11.3.0 | | | to | | | 11.3.3 | | | (LTS) | | | o 11.2.0 | | | to | | | 11.2.1 | | | o 11.1.0 | | | to | | | 11.1.1 | | | o 11.0.1 | | | o 10.7.1 | | | to | | | 10.7.4 | | | o 10.6.0 | | | to | | | 10.6.1 | | | o 10.5.0 | | | to |Jira | 10.5.1 | (LTS) |Service | o 10.4.0 | |Management| to |Data | 10.4.1 | Only |Center and| o 10.3.0 | o 10.3.19 |Server | to | | 10.3.18| | | (LTS) | | | o 10.2.0 | | | to | | | 10.2.1 | | | o 10.1.1 | | | to | | | 10.1.2 | | | o 10.0.0 | | | to | | | 10.0.1 | | | o 5.17.0 | | | to | | | 5.17.5 | | | o 5.16.0 | | | to | | | 5.16.1 | | | o 5.15.2 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +----------+-----------+ Frequently Asked Questions: o Why is my Feature an unsupported Support (LTS) version. o What are the check the software pages. - Jira Software Data Center - Jira Service Management - Confluence Data Center - Bitbucket Data Center - Bamboo Data Center - Crowd Data Center o I am using version may feasible. Please recommend upgrading fixed versions, o Questions about our bulletins Post To search for CVEs vulnerabilities, Last modified on Apr 22, 2026 - --------------------------END You have received registration with maintained within receiving these you do not know and we will forward NOTE: Third Party Rights This security bulletin AUSCERT did not over its content. contained in this organisation, and site policies and which may arise this security bulletin. NOTE: This is only not be updated a later date, it from the author's Contact information in the Security Bulletin above. information, please Previous advisories https://portal.a ======================== AUSCERT The University e: auscert@auscert.org.au t: +61 (0)7 3365 4417 Allies in Cyber Security ======================== =================================================== External Security Bulletin Redistribution ESB-2026.4002.2 Security Bulletin - April 21 2026 23 April 2026 =================================================== Security Bulletin Summary ----------------- Atlassian Bamboo Data Center and Server Bitbucket Data Center and Server Confluence Data Center and Server Jira Data Center and Server Jira Service Management Data Center and Server CVE-2023-48631 CVE-2026-25547 CVE-2026-29063 CVE-2026-22029 CVE-2026-24734 CVE-2022-25927 CVE-2023-3635 CVE-2026-21571 CVE-2024-45801 CVE-2022-1471 CVE-2021-0341 CVE-2026-33871 CVE-2026-33870 CVE-2024-29371 CVE-2023-1370 CVE-2025-48734 CVE-2026-26960 CVE-2026-24842 CVE-2026-23950 CVE-2026-23745 CVE-2026-25639 CVE-2026-34487 CVE-2026-24880 CVE-2026-31802 CVE-2025-66020 CVE-2021-31597 CVE-2024-47875 lassian.com/security/security-bulletin-april-21-2026-1770913890.html 10.0 CVE-2024-47875 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H) https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H 93.8% (99th) CVE-2022-1471 2026-04-22 April 23 2026: Atlassian 'Released Security Vulnerabilities' table updated: critical CVE-2026-21571 added April 22 2026: Initial Release INCLUDED TEXT-------------------- reported in this Security Bulletin include 31 high-severity and 7 critical-severity third-party vulnerabilities, which have versions of our products released in the last month. monthly Security Bulletins have been assessed as presenting a to Atlassian customers. Atlassian issues Critical Security vulnerabilities that pose an immediate critical risk based on actually use the affected components outside of our monthly schedule as necessary. are discovered through our Bug Bounty program, pen-testing third-party library scans. vulnerabilities impacting your product(s), Atlassian recommends to the latest version or one of the Fixed Versions for The listed Fixed Versions for each product are current as (date of publication); visit the linked product Release Notes or check your product versions for disclosed check the Vulnerability Disclosure Portal. ---------------------------------------------------------------------------------+ Released Security Vulnerabilities | ---------------+-----------------------------------+--------------+-------------++ | | | || | Fixed Version | Vulnerability Summary | CVE ID |CVSS Severity|| | | | || ---------------+-----------------------------------+--------------+-------------++ |DoS (Denial of Service) | | || |io.netty:netty-codec-http2 |CVE-2026-33871|8.7 High || |Dependency in Bamboo Data Center | | || +-----------------------------------+--------------+-------------++ | | |9.4 Critical || | | | || | | |This is a || | | |vulnerability|| | | |in a || | | |non-Atlassian|| | | |dependency. || |OS Command Injection in Bamboo Data|CVE-2026-21571|Atlassian's || |Center - CVE-2026-21571 | |application || | | |of this || | | |dependency || | | |presents a || | | |lower, || | o 12.1.6 | | |non-critical || | | |assessed || recommended| | |risk. || | Data Center+-----------------------------------+--------------+-------------++ |Information Disclosure | | || |org.apache.tomcat:tomcat-catalina |CVE-2026-34487|7.5 High || (LTS) Data |Dependency in Bamboo Data Center | | || | Center Only+-----------------------------------+--------------+-------------++ |HTTP Request Smuggling | | || |org.apache.tomcat:tomcat-catalina |CVE-2026-24880|7.5 High || |Dependency in Bamboo Data Center | | || +-----------------------------------+--------------+-------------++ |HTTP Request Smuggling | | || |io.netty:netty-codec-http |CVE-2026-33870|7.5 High || |Dependency in Bamboo Data Center | | || +-----------------------------------+--------------+-------------++ |MITM (Man-in-the-Middle) | | || |org.apache.tomcat:tomcat-coyote |CVE-2026-24734|7.5 High || |Dependency in Bamboo Data Center | | || +-----------------------------------+--------------+-------------++ |DoS (Denial of Service) axios |CVE-2026-25639|7.5 High || |Dependency in Bamboo Data Center | | || +-----------------------------------+--------------+-------------++ |XSS (Cross Site Scripting) | | || |dompurify Dependency in Bamboo Data|CVE-2024-45801|7.3 High || |Center | | || ---------------+-----------------------------------+--------------+-------------++ o 10.2.0 to | | | || | 10.2.2 | | | || | | | || recommended|DoS (Denial of Service) | | || | Data Center|ua-parser-js Dependency in |CVE-2022-25927|7.5 High || |Bitbucket Data Center | | || o 9.4.18 to | | | || | 9.4.19 | | | || (LTS) Data | | | || Center Only| | | || ---------------+-----------------------------------+--------------+-------------++ | | |9.8 Critical || | | | || | | |This is a || | | |vulnerability|| | | |in a || | | |non-Atlassian|| | | |Confluence || |RCE (Remote Code Execution) | |dependency. || |org.yaml:snakeyaml Dependency in |CVE-2022-1471 |Atlassian's || |Confluence Data Center | |application || | | |of this || | | |dependency || | | |presents a || | | |lower, || | | |non-critical || | | |assessed || | | |risk. || +-----------------------------------+--------------+-------------++ |Path Traversal (Arbitrary Write) | | || |node-tar Dependency in Confluence |CVE-2026-23950|8.8 High || |Data Center | | || +-----------------------------------+--------------+-------------++ |DoS (Denial of Service) | | || |io.netty:netty-codec-http2 |CVE-2026-33871|8.7 High || |Dependency in Confluence Data | | || |Center | | || +-----------------------------------+--------------+-------------++ |Injection immutable Dependency in |CVE-2026-29063|8.7 High || |Confluence Data Center | | || +-----------------------------------+--------------+-------------++ |File Inclusion node-tar Dependency |CVE-2026-23745|8.2 High || |in Confluence Data Center | | || | recommended+-----------------------------------+--------------+-------------++ Data Center|File Inclusion node-tar Dependency |CVE-2026-24842|8.2 High || |in Confluence Data Center | | || | o 9.2.19 +-----------------------------------+--------------+-------------++ (LTS) Data |File Inclusion node-tar Dependency |CVE-2026-31802|8.2 High || Center Only|in Confluence Data Center | | || +-----------------------------------+--------------+-------------++ |DOM-based XSS @remix-run/router | | || |Dependency in Confluence Data |CVE-2026-22029|8 High || |Center | | || +-----------------------------------+--------------+-------------++ |DoS (Denial of Service) valibot | | || |Dependency in Confluence Data |CVE-2025-66020|7.5 High || |Center | | || +-----------------------------------+--------------+-------------++ |DoS (Denial of Service) | | || |org.bitbucket.b_c:jose4j Dependency|CVE-2024-29371|7.5 High || |in Confluence Data Center | | || +-----------------------------------+--------------+-------------++ |HTTP Request Smuggling | | || |io.netty:netty-codec-http |CVE-2026-33870|7.5 High || |Dependency in Confluence Data | | || |Center | | || +-----------------------------------+--------------+-------------++ |DoS (Denial of Service) axios | | || |Dependency in Confluence Data |CVE-2026-25639|7.5 High || |Center | | || +-----------------------------------+--------------+-------------++ |DoS (Denial of Service) css | | || |Dependency in Confluence Data |CVE-2023-48631|7.5 High || |Center | | || +-----------------------------------+--------------+-------------++ |Injection dompurify Dependency in |CVE-2024-45801|7.3 High || |Confluence Data Center | | || +-----------------------------------+--------------+-------------++ |File Inclusion node-tar Dependency |CVE-2026-26960|7.1 High || |in Confluence Data Center | | || ---------------+-----------------------------------+--------------+-------------++ | | |10 Critical || | | | || | | |This is a || | | |vulnerability|| | | |in a || | | |non-Atlassian|| | | |Jira Data || |mXSS (mutation Cross-Site | |Center || |Scripting) dompurify Dependency in |CVE-2024-47875|dependency. || |Jira Software Data Center and | |Atlassian's || |Server | |application || | | |of this || | | |dependency || | | |presents a || | | |lower, || | | |non-critical || | | |assessed || | | |risk. || +-----------------------------------+--------------+-------------++ | | |9.8 Critical || | | | || | | |This is a || | | |vulnerability|| | | |in a || | | |non-Atlassian|| | | |Jira Data || |RCE (Remote Code Execution) | |Center || |org.yaml:snakeyaml Dependency in |CVE-2022-1471 |dependency. || |Jira Software Data Center | |Atlassian's || | | |application || | | |of this || | | |dependency || | | |presents a || | | |lower, || | (LTS) | | |non-critical || recommended| | |assessed || Data Center| | |risk. || +-----------------------------------+--------------+-------------++ | o 10.3.19 | | |9.2 Critical || (LTS) Data | | | || Center Only| | |This is a || | | |vulnerability|| | | |in a || | | |non-Atlassian|| | | |Jira Data || |DoS (Denial of Service) | |Center || |brace-expansion Dependency in Jira |CVE-2026-25547|dependency. || |Software Data Center | |Atlassian's || | | |application || | | |of this || | | |dependency || | | |presents a || | | |lower, || | | |non-critical || | | |assessed || | | |risk. || +-----------------------------------+--------------+-------------++ |Improper Authorization | | || |commons-beanutils:commons-beanutils|CVE-2025-48734|8.8 High || |Dependency in Jira Software Data | | || |Center | | || +-----------------------------------+--------------+-------------++ |MITM (Man-in-the-Middle) | | || |com.squareup.okhttp3:okhttp |CVE-2021-0341 |7.5 High || |Dependency in Jira Software Data | | || |Center and Server | | || +-----------------------------------+--------------+-------------++ |DoS (Denial of Service) | | || |net.minidev:json-smart Dependency |CVE-2023-1370 |7.5 High || |in Jira Software Data Center | | || +-----------------------------------+--------------+-------------++ |DoS (Denial of Service) | | || |com.squareup.okio:okio Dependency |CVE-2023-3635 |7.5 High || |in Jira Software Data Center | | || ---------------+-----------------------------------+--------------+-------------++ | | |10 Critical || | | | || | | |This is a || | | |vulnerability|| | | |in a || | | |non-Atlassian|| | | |Jira Service || |mXSS (mutation Cross-Site | |Management || |Scripting) dompurify Dependency in |CVE-2024-47875|dependency. || |Jira Service Management Data Center| |Atlassian's || |and Server | |application || | | |of this || | | |dependency || | | |presents a || | | |lower, || | | |non-critical || | | |assessed || | | |risk. || +-----------------------------------+--------------+-------------++ | | |9.8 Critical || | | | || | | |This is a || | | |vulnerability|| | | |in a || | | |non-Atlassian|| | | |Jira Service || |RCE (Remote Code Execution) | |Management || |org.yaml:snakeyaml Dependency in |CVE-2022-1471 |dependency. || |Jira Service Management Data Center| |Atlassian's || | | |application || | | |of this || | | |dependency || | | |presents a || | | |lower, || | | |non-critical || | | |assessed || | o 11.3.4 | | |risk. || +-----------------------------------+--------------+-------------++ recommended| | |9.4 Critical || | Data Center| | | || | | |This is a || | | |vulnerability|| | (LTS) Data | | |in a || Center Only| | |non-Atlassian|| | | |Jira Service || |MITM (Man-in-the-Middle) | |Management || |xmlhttprequest Dependency in Jira |CVE-2021-31597|dependency. || |Service Management Data Center | |Atlassian's || | | |application || | | |of this || | | |dependency || | | |presents a || | | |lower, || | | |non-critical || | | |assessed || | | |risk. || +-----------------------------------+--------------+-------------++ |Improper Authorization | | || |commons-beanutils:commons-beanutils|CVE-2025-48734|8.8 High || |Dependency in Jira Service | | || |Management Data Center | | || +-----------------------------------+--------------+-------------++ |DoS (Denial of Service) | | || |com.squareup.okio:okio Dependency |CVE-2023-3635 |7.5 High || |in Jira Service Management Data | | || |Center | | || +-----------------------------------+--------------+-------------++ |MITM (Man-in-the-Middle) | | || |com.squareup.okhttp3:okhttp |CVE-2021-0341 |7.5 High || |Dependency in Jira Service | | || |Management Data Center and Server | | || +-----------------------------------+--------------+-------------++ |DoS (Denial of Service) | | || |brace-expansion Dependency in Jira |CVE-2026-25547|7.5 High || |Service Management Data Center | | || +-----------------------------------+--------------+-------------++ |DoS (Denial of Service) | | || |net.minidev:json-smart Dependency |CVE-2023-1370 |7.5 High || |in Jira Service Management Data | | || |Center | | || ---------------+-----------------------------------+--------------+-------------++ Version not listed in a Fixed Version? You may be using version and need to patch to the latest version or Long-Term most up-to-date Data Center product versions? You can always download portal or visit the product-specific download an LTS, why is it not listed in the Fixed Versions? Your LTS not have been updated yet or a backported fix may not have been see our Security Bug Fix Policy for more information. We your products to the latest versions. For the latest visit the release notes linked in the vulnerability table. the bulletin, have feedback? Let us know! Read more about and feel free to contribute feedback on our latest Community or check your products versions for disclosed check the Vulnerability Disclosure Portal. INCLUDED TEXT---------------------- this e-mail bulletin as a result of your organisation's AUSCERT. The mailing list you are subscribed to is your organisation, so if you do not wish to continue bulletins you should contact your local IT manager. If who that is, please send an email to auscert@auscert.org.au your request to the appropriate person. is provided as a service to AUSCERT's members. As write the document quoted above, AUSCERT has had no control The decision to follow or act on information or advice security bulletin is the responsibility of each user or should be considered in accordance with your organisation's procedures. AUSCERT takes no responsibility for consequences from following or acting on information or advice contained in the original release of the security bulletin. It may when updates to the original are made. If downloading at is recommended that the bulletin is retrieved directly website to ensure that the information is still current. for the authors of the original document is included If you have any questions or need further contact them directly. and external security bulletins can be retrieved from: uscert.org.au/bulletins/ =================================================== of Queensland, Brisbane QLD 4072 Australia ===================================================

Risk Scores

CVSS v3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

Affected Products

Vendor	Product	Versions
Atlassian	Atlassian Bamboo Data Center and Server

Timeline

Apr 23, 2026 CVE Published

References

Open in Interactive Console →