Vulnerability detail

Enriched intelligence for a single CVE

5.3

CVSS
Medium

CVE-2021-26086

PUBLISHED

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in...

Exploited in the wild Remote Low complexity No user interaction

Vendor: Atlassian
Product: Jira Server, Jira Data Center
Published: Aug 16, 2021
EPSS: —

Description

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.

cisa nuclei_scanner nessus_scanner

CVSS scores

CVSS v3.1 5.3 Medium

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v2.0 5.0

AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitation status

Exploited in the wild

Recorded 2024-11-12 00:00:00 UTC · Source

SSVC decision points

Exploitation: active
Automatable: Yes
Technical impact: partial

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
CISA	Nov 12, 2024

Scanner integrations

Scanner	Reference	Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-26086.yaml	Apr 25, 2025
Nessus	https://www.tenable.com/plugins/nessus/187096	Dec 20, 2023

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

ColdFusionX/CVE-2021-26086

github · Created 2021-10-05 14:09:52 UTC · 23 stars

Atlassian Jira Server/Data Center 8.4.0 - Arbitrary File read (CVE-2021-26086)

Timeline

CVE ID Reserved

January 25, 2021
CVE Published to Public

August 16, 2021
Detected by Nessus

December 20, 2023
Added to KEVIntel

November 12, 2024
Detected by Nuclei

April 25, 2025