CVE-2025-13523

>= 1.0.0 and < 1.7.0

Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rendering whic

7.7HIGH

CVE-2025-8285

< 1.5.0

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to create

4.0MEDIUM

CVE-2025-54525

< 1.5.0

Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via

7.5HIGH

CVE-2025-54478

< 1.5.0

Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows un

7.2HIGH

CVE-2025-54463

< 1.5.0

Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via

5.9MEDIUM

CVE-2025-54458

< 1.5.0

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers t

5.0MEDIUM

CVE-2025-53910

< 1.5.0

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to create

4.0MEDIUM

CVE-2025-53857

< 1.5.0

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get cha

3.7LOW

CVE-2025-53514

< 1.5.0

Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via

5.9MEDIUM

CVE-2025-52931

< 1.5.0

Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via

7.5HIGH

CVE-2025-49221

< 1.5.0

Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows un

3.7LOW

CVE-2025-48731

< 1.5.0

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers t

6.4MEDIUM

CVE-2025-44004

< 1.5.0

Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows a

7.2HIGH

CVE-2025-44001

< 1.5.0

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get cha

4.0MEDIUM

CVE-2020-4027

< 7.4.5

Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions t

4.7MEDIUM

CVE-2019-20406

< 7.0.5

The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, and from version 7.1.0 before ve

7.8HIGH

CVE-2019-15006

>= 6.11.0 and < 6.13.10

There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence D

6.5MEDIUM

CVE-2019-15005

< 7.0.1

The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic lo

4.3MEDIUM

CVE-2019-3394

>= 6.1.0 and < 6.6.16

There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. An attacker wi

8.8HIGH

CVE-2019-3395

< 6.6.12

The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from versio

9.8CRITICAL

CVE-2018-13389

< 6.6.1

The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla F

4.7MEDIUM

CVE-2017-18086

< 6.4.2

Various resources in Atlassian Confluence Server before version 6.4.2 allow remote attackers to inject arbitrary HTML or JavaScrip

6.1MEDIUM

CVE-2017-18085

< 6.6.1

The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary

6.1MEDIUM

CVE-2017-18084

< 6.3.4

The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or Ja

4.8MEDIUM

CVE-2017-18083

< 6.4.0

The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or Ja

5.4MEDIUM

CVE-2017-16856

< 6.5.2

The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or JavaScript via

6.1MEDIUM

CVE-2017-9505

>= 4.3 and < 6.2.1

Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbo

4.3MEDIUM

CVE-2016-4317

<= 5.9.10

Atlassian Confluence Server before 5.9.11 has XSS on the viewmyprofile.action page.

5.4MEDIUM

CVE-2016-6283

<= 5.10.5

Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.10.6 allows remote attackers to inject arbitrary web scr

6.1MEDIUM

CVE-2015-8399

<= 5.8.16

Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter t

4.3MEDIUM

CVE-2015-8398

<= 5.8.16

Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.8.17 allows remote attackers to inject arbitrary web scr

6.1MEDIUM

CVE-2012-2926

< 3.5.16

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8,

9.1CRITICAL

CVE-2005-3967

all versions

Cross-site scripting (XSS) vulnerability in the dosearchsite.action module in Atlassian Confluence 2.0.1 Build 321 allows remote a