Cyber Resilience

CVE-2025-13523

High

Published: 06 February 2026

Published
06 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0002 4.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13523 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Mattermost Confluence. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-13523 is a cross-site scripting vulnerability (CWE-79) affecting the Mattermost Confluence plugin in versions prior to 1.7.0. The flaw arises from the plugin's failure to properly escape user-controlled display names during HTML template rendering, enabling the injection of malicious content.

Authenticated Confluence users with low privileges can exploit this vulnerability by crafting a malicious display name and sharing a specially crafted OAuth2 connection link with victims. When a victim visits the link, the attacker's display name is rendered without sanitization, allowing arbitrary JavaScript execution in the victim's browser. The CVSS v3.1 base score is 7.7 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N), reflecting network accessibility, high attack complexity, required user interaction, and high impacts on confidentiality and integrity with changed scope.

Mattermost Advisory MMSA-2025-00557 provides details on the issue, with mitigation available via upgrade to Confluence plugin version 1.7.0 or later. Additional guidance is available at https://mattermost.com/security-updates.

EU & UK References

Vulnerability details

Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via sending a specially crafted OAuth2 connection link…

more

that, when visited, renders the attacker's display name without proper sanitization. Mattermost Advisory ID: MMSA-2025-00557

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

XSS vuln directly enables arbitrary JavaScript execution in victim browser (T1059.007) via crafted link; also constitutes exploitation of public-facing web plugin (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79
CVE-2026-3876Shared CWE-79

Affected Assets

mattermost
confluence
1.0.0 — 1.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by identifying, reporting, and applying the patch to upgrade the Mattermost Confluence plugin to version 1.7.0 or later, which fixes the improper escaping of display names.

prevent

Requires validation and sanitization of user-controlled inputs like display names to prevent injection of malicious JavaScript payloads into HTML templates.

prevent

Ensures output filtering and proper escaping of display names during HTML rendering to block arbitrary JavaScript execution in victim browsers.

References