[UPDATE] [high] Atlassian Bamboo, Bitbucket, Confluence, Fisheye, Crucible, Jira and Jira Service Management: Multiple vulnerabilities
An attacker can exploit multiple vulnerabilities in Atlassian Bamboo, Bitbucket, Confluence, Fisheye, Crucible, Jira, and Jira Service Management to execute arbitrary code, gain elevated privileges, bypass security measures, manipulate data, disclose confidential information, or trigger a denial-of-service condition.
CSIRTS triage
- What
- Multiple vulnerabilities allow attackers to execute arbitrary code, gain elevated privileges, bypass security measures, manipulate data, disclose confidential information, or trigger a denial-of-service condition.
- Who is affected
- Deployments of Atlassian Bamboo, Bitbucket, Confluence, Fisheye, Crucible, Jira, and Jira Service Management are affected.
- Urgency
- Remediation is urgent due to the high severity and active exploitation of these vulnerabilities.
- Action
- Update to the latest versions of the affected Atlassian products.
AI-assisted analysis generated from the source advisory — verify against the original.
Details
Original advisory: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1955
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Moderate exploitation riskCVE-2019-112721.4% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 69% of all scored CVEs.
- Moderate exploitation riskCVE-2021-38032.0% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 79% of all scored CVEs.
- Exploitation likely imminentCVE-2022-1471EPSS puts this in the most-targeted tier (99.6% 30-day exploitation probability). Prioritize alongside KEV items. Riskier than 100% of all scored CVEs.
- Exploitation likely imminentCVE-2022-22965EPSS puts this in the most-targeted tier (99.7% 30-day exploitation probability). Prioritize alongside KEV items. Riskier than 100% of all scored CVEs.
- Elevated exploitation riskCVE-2022-2297810.0% 30-day exploitation probability — well above the norm. Schedule remediation this cycle. Riskier than 95% of all scored CVEs.
- Moderate exploitation riskCVE-2022-316923.4% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 88% of all scored CVEs.
- Low exploitation riskCVE-2024-222570.95% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 57% of all scored CVEs.
- Low exploitation riskCVE-2025-222280.57% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 43% of all scored CVEs.
- Low exploitation riskCVE-2026-227320.48% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 38% of all scored CVEs.
- Low exploitation riskCVE-2026-247340.50% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 39% of all scored CVEs.
Referenced CVEs
+1 more CVEs referenced in this advisory.
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- medium[UPDATE] [medium] Apache Tomcat and Tomcat Native: Multiple vulnerabilitiescert-bund
- medium[UPDATE] [medium] Netty: Multiple vulnerabilitiescert-bund
- high[NEW] [high] IBM Operational Decision Manager: Multiple vulnerabilitiescert-bund
- high[UPDATE] [high] Kiali for Red Hat OpenShift Service Mesh (Axios, Go, Follow-redirects): Multiple vulnerabiliti…cert-bund
- high[UPDATE] [high] Atlassian products (Bamboo, Bitbucket, Confluence, Crucible, Fisheye, and Jira): Multiple vuln…cert-bund
- unknownMultiple vulnerabilities in IBM products (July 3, 2026)cert-fr-avis
- high[NEW] [high] IBM DataPower Gateway: Multiple vulnerabilitiescert-bund
- high[UPDATE] [high] IBM App Connect Enterprise Certified Container: Multiple vulnerabilitiescert-bund
- medium[UPDATE] [medium] Netty: Multiple vulnerabilitiescert-bund
- medium[UPDATE] [medium] Splunk Splunk Enterprise: Multiple vulnerabilities in third-party componentscert-bund
- high[UPDATE] [high] Apache Tomcat: Multiple vulnerabilitiescert-bund
- unknownMultiple vulnerabilities in IBM products (June 26, 2026)cert-fr-avis
Recent advisories for Atlassian Bamboo
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
More from CERT-Bund (BSI) Security Advisories
- medium[NEW] [medium] DENX U-Boot: Multiple vulnerabilities allow execution of arbitrary code and DoS2026-07-10
- medium[NEW] [medium] Samsung Android: Multiple vulnerabilities2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow denial of service2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow unspecified attack2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow denial of service2026-07-10