Unrated severityCISA KEVNVD Advisory· Published Mar 25, 2019· Updated Oct 21, 2025

CVE-2019-3396

Description

The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

Affected products

Atlassian/Confluence Serverv5
Range: unspecified

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.exploit-db.com/exploits/46731/mitreexploitx_refsource_EXPLOIT-DB
packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.htmlmitrex_refsource_MISC
packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.htmlmitrex_refsource_MISC
www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connectormitrex_refsource_MISC
jira.atlassian.com/browse/CONFSERVER-57974mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.076
exploit	0.030
kev	0.120
patch	0.000
ransomware	0.060