7.9

CVE-2026-21569

This High severity XXE (XML External Entity Injection) vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. 
	
	This XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 7.9, allows an authenticated attacker to access local and remote content which has high impact to confidentiality, low impact to integrity, high impact to availability, and requires no user interaction. 
	
	Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
		
		* Crowd Data Center and Server 7.1: Upgrade to a release greater than or equal to 7.1.3
		
		
	
	See the release notes (https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html). You can download the latest version of Crowd Data Center and Server from the download center (https://www.atlassian.com/software/crowd/download-archive). 
	
	This vulnerability was reported via our Atlassian (Internal) program.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AtlassianCrowd Version >= 7.1.0 < 7.1.3
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.06% 0.186
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@atlassian.com 7.9 1.3 6
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:H
CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://jira.atlassian.com/browse/CWD-6453
Vendor Advisory
Issue Tracking