Atlassian Confluence 9.0.1 < 9.0.2 / 9.2.5 < 9.2.15 / 9.5.1 < 10.2.7 (CONFSERVER-102542)

🗓️ 08 Apr 2026 00:00:00Reported by TenableType

Confluence is vulnerable to glob command injection via the -c option; patched in 10.5.0 and 11.1.0.

Reporter	Title	Published	Views	Family All 103
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition	30 Jan 202609:11	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition	16 Feb 202609:23	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Event Processing is vulnerable to command injection vulnerability (CVE-2025-64756)	11 Feb 202611:56	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to multiple node modules (CVE-2025-64718, CVE-2025-64756, CVE-2025-13466 & CVE-2025-65945)	22 Dec 202511:27	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Sterling External Authentication Server is vulnerable to multiple issues	17 Feb 202612:04	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Concert Software	14 Jan 202612:11	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition	7 Apr 202607:08	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Event Endpoint Management is vulnerable to command injection vulnerability (CVE-2025-64756)	10 Feb 202606:50	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability affects IBM watsonx Orchestrate with watsonx Assistant Cartridge	22 Jan 202605:02	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities in IBM Business Automation Manager Open Editions	31 Mar 202612:18	–	ibm

Source	Link
jira	www.jira.atlassian.com/browse/CONFSERVER-102542
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(305301);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/08");

  script_cve_id("CVE-2025-64756");

  script_name(english:"Atlassian Confluence 9.0.1 < 9.0.2 / 9.2.5 < 9.2.15 / 9.5.1 < 10.2.7 (CONFSERVER-102542)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Atlassian Confluence host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in
the CONFSERVER-102542 advisory.

  - Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0
    and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows
    arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns>
    are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in
    filenames to trigger command injection and achieve arbitrary code execution under the user or CI account
    privileges. This issue has been patched in versions 10.5.0 and 11.1.0. (CVE-2025-64756)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://jira.atlassian.com/browse/CONFSERVER-102542");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Atlassian Confluence version 9.0.2, 9.2.15, 10.2.7 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-64756");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/11/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/03/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/08");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:atlassian:confluence");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("confluence_detect.nasl", "confluence_nix_installed.nbin", "confluence_win_installed.nbin");
  script_require_keys("installed_sw/Atlassian Confluence");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::combined_get_app_info(app:'Atlassian Confluence');

var constraints = [
  { 'min_version' : '9.0.1', 'fixed_version' : '9.0.2' },
  { 'min_version' : '9.2.5', 'fixed_version' : '9.2.15' },
  { 'min_version' : '9.5.1', 'fixed_version' : '10.2.7' }
];

vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_HOLE
);

08 Apr 2026 00:00Current

6.9Medium risk

Vulners AI Score6.9

CVSS 3.17.5

EPSS0.00025

SSVC