Vulnerability-Lookup

CVE-2026-39304 (GCVE-0-2026-39304)

Vulnerability from cvelistv5 – Published: 2026-04-10 10:54 – Updated: 2026-04-10 14:10

Title

Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incorrect handling of TLSv1.3 KeyUpdate can be exploited to cause DoS via OOM

Summary

Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS. Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well. This issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.

Severity

No CVSS data available.

CWE

Denial of Service via Out of Memory

Assigner

apache

References

1 reference

URL	Tags
https://activemq.apache.org/security-advisories.d…	vendor-advisory

Impacted products

4 products

Vendor	Product	Version
Apache Software Foundation	Apache ActiveMQ Client	Affected: 0 , < 5.19.4 (semver) Affected: 6.0.0 , < 6.2.4 (semver)
Apache Software Foundation	Apache ActiveMQ Broker	Affected: 0 , < 5.19.4 (semver) Affected: 6.0.0 , < 6.2.4 (semver)
Apache Software Foundation	Apache ActiveMQ All	Affected: 0 , < 5.19.4 (semver) Affected: 6.0.0 , < 6.2.4 (semver)
Apache Software Foundation	Apache ActiveMQ	Affected: 0 , < 5.19.4 (semver) Affected: 6.0.0 , < 6.2.4 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-10T11:21:32.761Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/09/17"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39304",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T14:10:10.616689Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-400",
                "description": "CWE-400 Uncontrolled Resource Consumption",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T14:10:55.784Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.activemq:activemq-client",
          "product": "Apache ActiveMQ Client",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "5.19.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.2.4",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.activemq:activemq-broker",
          "product": "Apache ActiveMQ Broker",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "5.19.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.2.4",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.activemq:activemq-all",
          "product": "Apache ActiveMQ All",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "5.19.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.2.4",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.activemq:apache-activemq",
          "product": "Apache ActiveMQ",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "5.19.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.2.4",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDenial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ.\u003c/p\u003eActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS.\u003cbr\u003e\u003cbr\u003eNote: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well.\u003cbr\u003e\u003cp\u003eThis issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ.\n\nActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS.\n\nNote: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well.\nThis issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.\n\nUsers are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Denial of Service via Out of Memory",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T10:54:04.130Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://activemq.apache.org/security-advisories.data/CVE-2026-39304-announcement.txt"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incorrect handling of TLSv1.3 KeyUpdate can be exploited to cause DoS via OOM",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-39304",
    "datePublished": "2026-04-10T10:54:04.130Z",
    "dateReserved": "2026-04-06T12:51:57.606Z",
    "dateUpdated": "2026-04-10T14:10:55.784Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-39304",
      "date": "2026-05-26",
      "epss": "0.00076",
      "percentile": "0.22697"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-39304\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2026-04-10T11:16:23.143\",\"lastModified\":\"2026-05-01T15:21:36.333\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ.\\n\\nActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS.\\n\\nNote: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well.\\nThis issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.\\n\\nUsers are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.19.4\",\"matchCriteriaId\":\"83EF7DD6-C3A9-4561-ADC0-1E6ED5429307\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndExcluding\":\"6.2.4\",\"matchCriteriaId\":\"4BAE411E-AC4C-4BC7-88F0-06A57D2768DD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.19.4\",\"matchCriteriaId\":\"ECEF15DD-10E8-40A4-897B-3DA7F12E2C07\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndExcluding\":\"6.2.4\",\"matchCriteriaId\":\"2C299CB9-FEA4-4CC5-B3A5-D1170BE63560\"}]}]}],\"references\":[{\"url\":\"https://activemq.apache.org/security-advisories.data/CVE-2026-39304-announcement.txt\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/04/09/17\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/04/09/17\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-04-10T11:21:32.761Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-39304\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-10T14:10:10.616689Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400 Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-10T14:08:53.247Z\"}}], \"cna\": {\"title\": \"Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incorrect handling of TLSv1.3 KeyUpdate can be exploited to cause DoS via OOM\", \"source\": {\"discovery\": \"INTERNAL\"}, \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"important\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache ActiveMQ Client\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"5.19.4\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"6.0.0\", \"lessThan\": \"6.2.4\", \"versionType\": \"semver\"}], \"packageName\": \"org.apache.activemq:activemq-client\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache ActiveMQ Broker\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"5.19.4\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"6.0.0\", \"lessThan\": \"6.2.4\", \"versionType\": \"semver\"}], \"packageName\": \"org.apache.activemq:activemq-broker\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache ActiveMQ All\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"5.19.4\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"6.0.0\", \"lessThan\": \"6.2.4\", \"versionType\": \"semver\"}], \"packageName\": \"org.apache.activemq:activemq-all\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache ActiveMQ\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"5.19.4\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"6.0.0\", \"lessThan\": \"6.2.4\", \"versionType\": \"semver\"}], \"packageName\": \"org.apache.activemq:apache-activemq\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://activemq.apache.org/security-advisories.data/CVE-2026-39304-announcement.txt\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ.\\n\\nActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS.\\n\\nNote: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well.\\nThis issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.\\n\\nUsers are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eDenial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ.\u003c/p\u003eActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS.\u003cbr\u003e\u003cbr\u003eNote: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well.\u003cbr\u003e\u003cp\u003eThis issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"Denial of Service via Out of Memory\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2026-04-10T10:54:04.130Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-39304\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-10T14:10:55.784Z\", \"dateReserved\": \"2026-04-06T12:51:57.606Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2026-04-10T10:54:04.130Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

bit-activemq-2026-39304

Vulnerability from bitnami_vulndb

Published

2026-04-16 23:36

Modified

2026-04-17 00:10

Summary

Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incorrect handling of TLSv1.3 KeyUpdate can be exploited to cause DoS via OOM

Details

Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ.

ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS.

Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well. This issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.

Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "activemq",
        "purl": "pkg:bitnami/activemq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.19.4"
            },
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.2.4"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39304"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:apache:activemq:*:*:*:*:*:maven:*:*"
    ],
    "severity": "High"
  },
  "details": "Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ.\n\nActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS.\n\nNote: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well.\nThis issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.\n\nUsers are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.",
  "id": "BIT-activemq-2026-39304",
  "modified": "2026-04-17T00:10:47.507Z",
  "published": "2026-04-16T23:36:26.790Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/04/09/17"
    },
    {
      "type": "WEB",
      "url": "https://activemq.apache.org/security-advisories.data/CVE-2026-39304-announcement.txt"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39304"
    }
  ],
  "schema_version": "1.6.2",
  "summary": "Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incorrect handling of TLSv1.3 KeyUpdate can be exploited to cause DoS via OOM"
}

FKIE_CVE-2026-39304

Vulnerability from fkie_nvd - Published: 2026-04-10 11:16 - Updated: 2026-05-01 15:21

Severity

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security@apache.org	https://activemq.apache.org/security-advisories.data/CVE-2026-39304-announcement.txt	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2026/04/09/17	Mailing List, Third Party Advisory

Impacted products

Vendor	Product	Version
apache	activemq	*
apache	activemq	*
apache	activemq_broker	*
apache	activemq_broker	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "83EF7DD6-C3A9-4561-ADC0-1E6ED5429307",
              "versionEndExcluding": "5.19.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4BAE411E-AC4C-4BC7-88F0-06A57D2768DD",
              "versionEndExcluding": "6.2.4",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "ECEF15DD-10E8-40A4-897B-3DA7F12E2C07",
              "versionEndExcluding": "5.19.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2C299CB9-FEA4-4CC5-B3A5-D1170BE63560",
              "versionEndExcluding": "6.2.4",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ.\n\nActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS.\n\nNote: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well.\nThis issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.\n\nUsers are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue."
    }
  ],
  "id": "CVE-2026-39304",
  "lastModified": "2026-05-01T15:21:36.333",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-10T11:16:23.143",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://activemq.apache.org/security-advisories.data/CVE-2026-39304-announcement.txt"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2026/04/09/17"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

GHSA-5568-6QCG-G7FX

Vulnerability from github – Published: 2026-04-10 12:31 – Updated: 2026-04-10 21:01

Summary

Apache ActiveMQ: Denial of Service via Out of Memory vulnerability

Details

Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ.

Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.

Severity

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.activemq:activemq-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.19.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.activemq:activemq-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.activemq:activemq-broker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.19.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.activemq:activemq-broker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.activemq:activemq-all"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.19.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.activemq:activemq-all"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.activemq:apache-activemq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.19.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.activemq:apache-activemq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39304"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T21:01:01Z",
    "nvd_published_at": "2026-04-10T11:16:23Z",
    "severity": "HIGH"
  },
  "details": "Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ.\n\nActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS.\n\nNote: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well.\nThis issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.\n\nUsers are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.",
  "id": "GHSA-5568-6qcg-g7fx",
  "modified": "2026-04-10T21:01:01Z",
  "published": "2026-04-10T12:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39304"
    },
    {
      "type": "WEB",
      "url": "https://activemq.apache.org/security-advisories.data/CVE-2026-39304-announcement.txt"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/activemq"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/04/09/17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": " Apache ActiveMQ: Denial of Service via Out of Memory vulnerability"
}

WID-SEC-W-2026-1608

Vulnerability from csaf_certbund - Published: 2026-05-19 22:00 - Updated: 2026-05-20 22:00

Summary

Atlassian Produkte (Bamboo, Bitbucket, Confluence, Crucible, Fisheye und Jira): Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Bamboo ist ein Werkzeug zur kontinuierlichen Integration und Bereitstellung, das automatisierte Builds, Tests und Freigaben in einem einzigen Arbeitsablauf verbindet. Bitbucket ist ein Git-Server zur Sourcecode-Versionskontrolle. Confluence ist eine kommerzielle Wiki-Software. Crucible ist eine Code-Review-Lösung für Unternehmensteams. Fisheye ist ein Quellcode-Repository-Browser für Unternehmensteams. Jira ist eine Webanwendung zur Softwareentwicklung.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence, Atlassian Crucible, Atlassian Fisheye und Atlassian Jira ausnutzen, um beliebigen Programmcode auszuführen, um einen Denial of Service Angriff durchzuführen, um Informationen offenzulegen, um einen Cross-Site Scripting Angriff durchzuführen, und um Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme: - Linux - Sonstiges - UNIX - Windows

CVE-2019-13990

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2022-1471

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2022-23521

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2022-41903

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2023-22518

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2023-22522

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2023-22523

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2023-22524

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2023-22527

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2023-24998

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2023-46604

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2024-45801

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2025-52999

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2025-67030

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-22029

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-22732

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-24734

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-24880

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-25639

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-26960

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-27727

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-27830

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-29062

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-29129

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-29145

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-29146

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-29786

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-31802

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-33750

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-34483

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-34487

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-39304

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-42198

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

CVE-2026-5598

Affected products

Known affected 13 products

Product	Identifier	Version
Atlassian Bamboo Data Center LTS <12.1.7 Atlassian / Bamboo		Data Center LTS <12.1.7
Atlassian Jira Data Center LTS <10.3.20 Atlassian / Jira		Data Center LTS <10.3.20
Atlassian Jira Data Center LTS <11.3.5 Atlassian / Jira		Data Center LTS <11.3.5
Atlassian Fisheye <4.9.10 Atlassian / Fisheye		<4.9.10
Atlassian Crucible <4.9.10 Atlassian / Crucible		<4.9.10
Atlassian Confluence Data Center LTS <9.2.20 Atlassian / Confluence		Data Center LTS <9.2.20
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence Data Center LTS <10.2.11 Atlassian / Confluence		Data Center LTS <10.2.11
Atlassian Bitbucket Data Center LTS <9.4.19 Atlassian / Bitbucket		Data Center LTS <9.4.19
Atlassian Bitbucket Data Center LTS <10.2.2 Atlassian / Bitbucket		Data Center LTS <10.2.2
Atlassian Bamboo Data Center LTS <9.6.26 Atlassian / Bamboo		Data Center LTS <9.6.26
Atlassian Bamboo Data Center LTS <10.2.19 Atlassian / Bamboo		Data Center LTS <10.2.19
Atlassian Jira LTS <9.12.35 Atlassian / Jira		LTS <9.12.35

References

4 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://confluence.atlassian.com/security/securit…	external
https://access.redhat.com/errata/RHSA-2026:19098	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Bamboo ist ein Werkzeug zur kontinuierlichen Integration und Bereitstellung, das automatisierte Builds, Tests und Freigaben in einem einzigen Arbeitsablauf verbindet.\r\nBitbucket ist ein Git-Server zur Sourcecode-Versionskontrolle.\r\nConfluence ist eine kommerzielle Wiki-Software.\r\nCrucible ist eine Code-Review-L\u00f6sung f\u00fcr Unternehmensteams.\r\nFisheye ist ein Quellcode-Repository-Browser f\u00fcr Unternehmensteams. \r\nJira ist eine Webanwendung zur Softwareentwicklung.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence, Atlassian Crucible, Atlassian Fisheye und Atlassian Jira ausnutzen, um beliebigen Programmcode auszuf\u00fchren, um einen Denial of Service Angriff durchzuf\u00fchren, um Informationen offenzulegen, um einen Cross-Site Scripting Angriff durchzuf\u00fchren, und um Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1608 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1608.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1608 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1608"
      },
      {
        "category": "external",
        "summary": "Atlassian Security Bulletin Mai vom 2026-05-19",
        "url": "https://confluence.atlassian.com/security/security-bulletin-may-19-2026-1786839142.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19098 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19098"
      }
    ],
    "source_lang": "en-US",
    "title": "Atlassian Produkte (Bamboo, Bitbucket, Confluence, Crucible, Fisheye und Jira): Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-20T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-21T07:35:45.292+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1608",
      "initial_release_date": "2026-05-19T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-19T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-20T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Data Center LTS \u003c12.1.7",
                "product": {
                  "name": "Atlassian Bamboo Data Center LTS \u003c12.1.7",
                  "product_id": "T054387"
                }
              },
              {
                "category": "product_version",
                "name": "Data Center LTS 12.1.7",
                "product": {
                  "name": "Atlassian Bamboo Data Center LTS 12.1.7",
                  "product_id": "T054387-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:bamboo:data_center_lts__12.1.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Data Center LTS \u003c10.2.19",
                "product": {
                  "name": "Atlassian Bamboo Data Center LTS \u003c10.2.19",
                  "product_id": "T054388"
                }
              },
              {
                "category": "product_version",
                "name": "Data Center LTS 10.2.19",
                "product": {
                  "name": "Atlassian Bamboo Data Center LTS 10.2.19",
                  "product_id": "T054388-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:bamboo:data_center_lts__10.2.19"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Data Center LTS \u003c9.6.26",
                "product": {
                  "name": "Atlassian Bamboo Data Center LTS \u003c9.6.26",
                  "product_id": "T054389"
                }
              },
              {
                "category": "product_version",
                "name": "Data Center LTS 9.6.26",
                "product": {
                  "name": "Atlassian Bamboo Data Center LTS 9.6.26",
                  "product_id": "T054389-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:bamboo:data_center_lts__9.6.26"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Bamboo"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Data Center LTS \u003c10.2.2",
                "product": {
                  "name": "Atlassian Bitbucket Data Center LTS \u003c10.2.2",
                  "product_id": "T054391"
                }
              },
              {
                "category": "product_version",
                "name": "Data Center LTS 10.2.2",
                "product": {
                  "name": "Atlassian Bitbucket Data Center LTS 10.2.2",
                  "product_id": "T054391-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:bitbucket:data_center_lts__10.2.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Data Center LTS \u003c9.4.19",
                "product": {
                  "name": "Atlassian Bitbucket Data Center LTS \u003c9.4.19",
                  "product_id": "T054392"
                }
              },
              {
                "category": "product_version",
                "name": "Data Center LTS 9.4.19",
                "product": {
                  "name": "Atlassian Bitbucket Data Center LTS 9.4.19",
                  "product_id": "T054392-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:bitbucket:data_center_lts__9.4.19"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Bitbucket"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Data Center LTS \u003c10.2.11",
                "product": {
                  "name": "Atlassian Confluence Data Center LTS \u003c10.2.11",
                  "product_id": "T054393"
                }
              },
              {
                "category": "product_version",
                "name": "Data Center LTS 10.2.11",
                "product": {
                  "name": "Atlassian Confluence Data Center LTS 10.2.11",
                  "product_id": "T054393-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:data_center_lts__10.2.11"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Data Center LTS \u003c9.2.20",
                "product": {
                  "name": "Atlassian Confluence Data Center LTS \u003c9.2.20",
                  "product_id": "T054394"
                }
              },
              {
                "category": "product_version",
                "name": "Data Center LTS 9.2.20",
                "product": {
                  "name": "Atlassian Confluence Data Center LTS 9.2.20",
                  "product_id": "T054394-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:data_center_lts__9.2.20"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Confluence"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c4.9.10",
                "product": {
                  "name": "Atlassian Crucible \u003c4.9.10",
                  "product_id": "T054395"
                }
              },
              {
                "category": "product_version",
                "name": "4.9.10",
                "product": {
                  "name": "Atlassian Crucible 4.9.10",
                  "product_id": "T054395-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:crucible:4.9.10"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Crucible"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c4.9.10",
                "product": {
                  "name": "Atlassian Fisheye \u003c4.9.10",
                  "product_id": "T054396"
                }
              },
              {
                "category": "product_version",
                "name": "4.9.10",
                "product": {
                  "name": "Atlassian Fisheye 4.9.10",
                  "product_id": "T054396-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:fisheye:4.9.10"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Fisheye"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Data Center LTS \u003c11.3.5",
                "product": {
                  "name": "Atlassian Jira Data Center LTS \u003c11.3.5",
                  "product_id": "T054397"
                }
              },
              {
                "category": "product_version",
                "name": "Data Center LTS 11.3.5",
                "product": {
                  "name": "Atlassian Jira Data Center LTS 11.3.5",
                  "product_id": "T054397-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:jira:data_center_lts__11.3.5"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Data Center LTS \u003c10.3.20",
                "product": {
                  "name": "Atlassian Jira Data Center LTS \u003c10.3.20",
                  "product_id": "T054398"
                }
              },
              {
                "category": "product_version",
                "name": "Data Center LTS 10.3.20",
                "product": {
                  "name": "Atlassian Jira Data Center LTS 10.3.20",
                  "product_id": "T054398-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:jira:data_center_lts__10.3.20"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "LTS \u003c9.12.35",
                "product": {
                  "name": "Atlassian Jira LTS \u003c9.12.35",
                  "product_id": "T054399"
                }
              },
              {
                "category": "product_version",
                "name": "LTS 9.12.35",
                "product": {
                  "name": "Atlassian Jira LTS 9.12.35",
                  "product_id": "T054399-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:jira:lts__9.12.35"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Jira"
          }
        ],
        "category": "vendor",
        "name": "Atlassian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-13990",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2019-13990"
    },
    {
      "cve": "CVE-2022-1471",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2022-1471"
    },
    {
      "cve": "CVE-2022-23521",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2022-23521"
    },
    {
      "cve": "CVE-2022-41903",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2022-41903"
    },
    {
      "cve": "CVE-2023-22518",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2023-22518"
    },
    {
      "cve": "CVE-2023-22522",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2023-22522"
    },
    {
      "cve": "CVE-2023-22523",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2023-22523"
    },
    {
      "cve": "CVE-2023-22524",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2023-22524"
    },
    {
      "cve": "CVE-2023-22527",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2023-22527"
    },
    {
      "cve": "CVE-2023-24998",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2023-24998"
    },
    {
      "cve": "CVE-2023-46604",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2023-46604"
    },
    {
      "cve": "CVE-2024-45801",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2024-45801"
    },
    {
      "cve": "CVE-2025-52999",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2025-52999"
    },
    {
      "cve": "CVE-2025-67030",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2025-67030"
    },
    {
      "cve": "CVE-2026-22029",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-22029"
    },
    {
      "cve": "CVE-2026-22732",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-22732"
    },
    {
      "cve": "CVE-2026-24734",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-24734"
    },
    {
      "cve": "CVE-2026-24880",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-24880"
    },
    {
      "cve": "CVE-2026-25639",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-25639"
    },
    {
      "cve": "CVE-2026-26960",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-26960"
    },
    {
      "cve": "CVE-2026-27727",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-27727"
    },
    {
      "cve": "CVE-2026-27830",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-27830"
    },
    {
      "cve": "CVE-2026-29062",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-29062"
    },
    {
      "cve": "CVE-2026-29129",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-29129"
    },
    {
      "cve": "CVE-2026-29145",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-29145"
    },
    {
      "cve": "CVE-2026-29146",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-29146"
    },
    {
      "cve": "CVE-2026-29786",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-29786"
    },
    {
      "cve": "CVE-2026-31802",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-31802"
    },
    {
      "cve": "CVE-2026-33750",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-33750"
    },
    {
      "cve": "CVE-2026-34483",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-34483"
    },
    {
      "cve": "CVE-2026-34487",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-34487"
    },
    {
      "cve": "CVE-2026-39304",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-39304"
    },
    {
      "cve": "CVE-2026-42198",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-42198"
    },
    {
      "cve": "CVE-2026-5598",
      "product_status": {
        "known_affected": [
          "T054387",
          "T054398",
          "T054397",
          "T054396",
          "T054395",
          "T054394",
          "67646",
          "T054393",
          "T054392",
          "T054391",
          "T054389",
          "T054388",
          "T054399"
        ]
      },
      "release_date": "2026-05-19T22:00:00.000+00:00",
      "title": "CVE-2026-5598"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-39304 (GCVE-0-2026-39304)

bit-activemq-2026-39304

Vulnerability from bitnami_vulndb

FKIE_CVE-2026-39304

GHSA-5568-6QCG-G7FX

WID-SEC-W-2026-1608

Tags

Sightings

Nomenclature