| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
Known vulnerabilities affecting Confluence products and systems
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE-2025-8285 | Mattermost Confluence Plugin versions < 1.5.0 fail to check the access of the user to the channel which allows attackers to create channel subscription without proper access to the channel via API cal... | 5.3 |
| 188 |
| Neutral |
| No |
| Yes |
| CVE-2025-54525 | Mattermost Confluence Plugin versions < 1.5.0 fail to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits to the create channel subscription endpoint with an inv... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2025-54478 | Mattermost Confluence Plugin versions < 1.5.0 fail to enforce user authentication of the Mattermost instance, allowing unauthenticated attackers to edit channel subscriptions via API call to the edit ... | 5.3 | 253 | Neutral | No | Yes |
| CVE-2025-54463 | Mattermost Confluence Plugin versions < 1.5.0 fails to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits to the server webhook endpoint with an invalid request... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2025-54458 | Mattermost Confluence Plugin versions < 1.5.0 fails to check user access of the Confluence space, allowing attackers to create a subscription to a Confluence space the user does not have access to via... | 5.0 | 175 | Neutral | No | Yes |
| CVE-2025-53910 | Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, allowing attackers to create a channel subscription without proper access to the channel via an API call to the ... | 4.0 | 168 | Neutral | No | Yes |
| CVE-2025-53857 | Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, allowing attackers to get channel subscription details without proper access to the channel via API call to the ... | 3.7 | 167 | Neutral | No | Yes |
| CVE-2025-53514 | Mattermost Confluence Plugin versions < 1.5.0 fail to handle unexpected request bodies, allow\ing attackers to crash the plugin via constant hits to the server webhook endpoint with an invalid request... | 5.9 | 155 | Neutral | No | Yes |
| CVE-2025-52931 | Mattermost Confluence Plugin versions < 1.5.0 fails to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits to the update channel subscription endpoint with an in... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2025-49221 | Mattermost Confluence Plugin versions < 1.5.0 fail to enforce authentication of the user to the Mattermost instance, which allows unauthenticated attackers to access subscription details via an API ca... | 3.7 | 167 | Neutral | No | Yes |
| CVE-2025-48731 | Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to Confluence spaces, which allows attackers to edit subscriptions for Confluence spaces that users do not have access to throug... | 6.4 | 262 | Neutral | No | Yes |
| CVE-2025-44004 | Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to create a channel subscription without proper authorization... | 7.2 | 459 | Neutral | No | Yes |
| CVE-2025-44001 | Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, which allows attackers to get channel subscription details without proper access to the channel via an API call ... | 4.0 | 168 | Neutral | No | Yes |
| CVE-2025-27604 | ### Impact The homepage of the application is public which enables a guest to download the package which might contain sensitive information. ### Patches 1.11.7 ### Workarounds The access to the pag... | 7.5 | 450 | Neutral | No | Yes |
| CVE-2025-22166 | This High severity DoS (Denial of Service) vulnerability was introduced in version 2.0 of Confluence Data Center. This DoS (Denial of Service) vulnerability, with a CVSS Score of 8.3, allows an attac... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2025-13523 | Mattermost Confluence plugin version < 1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names ... | 5.4 | 223 | Neutral | No | Yes |
| CVE-2024-48942 | The Syracom Secure Login (2FA) plugin for Jira, Confluence, and Bitbucket through 3.1.4.5 allows remote attackers to easily brute-force the 2FA PIN via the plugins/servlet/twofactor/public/pinvalidati... | 5.9 | 155 | Neutral | No | Yes |
| CVE-2024-48941 | The Syracom Secure Login (2FA) plugin for Jira, Confluence, and Bitbucket through 3.1.4.5 allows remote attackers to bypass 2FA by interacting with the /rest endpoint of Jira, Confluence, or Bitbucket... | 5.4 | 121 | Neutral | No | Yes |
| CVE-2024-23737 | Cross Site Request Forgery (CSRF) vulnerability in savignano S/Notify before 4.0.2 for Jira allows attackers to allows attackers to manipulate a user's S/MIME certificate of PGP key via malicious link... | 5.4 | 185 | Neutral | No | Yes |
| CVE-2024-23735 | Cross Site Scripting (XSS) vulnerability in in the S/MIME certificate upload functionality of the User Profile pages in savignano S/Notify before 4.0.0 for Confluence allows attackers to manipulate us... | 6.1 | 272 | Neutral | No | Yes |