CVE-2025-13523

High

Published: 06 February 2026

Published

06 February 2026

Modified

24 February 2026

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0001 3.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13523 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Mattermost Confluence. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to JavaScript (T1059.007) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by identifying, reporting, and applying the patch to upgrade the Mattermost Confluence plugin to version 1.7.0 or later, which fixes the improper escaping of display names.

SI-10 Information Input Validation good match

prevent

Requires validation and sanitization of user-controlled inputs like display names to prevent injection of malicious JavaScript payloads into HTML templates.

SI-15 Information Output Filtering good match

prevent

Ensures output filtering and proper escaping of display names during HTML rendering to block arbitrary JavaScript execution in victim browsers.

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

XSS vuln directly enables arbitrary JavaScript execution in victim browser (T1059.007) via crafted link; also constitutes exploitation of public-facing web plugin (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via sending a specially crafted OAuth2 connection link…

that, when visited, renders the attacker's display name without proper sanitization. Mattermost Advisory ID: MMSA-2025-00557

Deeper analysisAI

CVE-2025-13523 is a cross-site scripting vulnerability (CWE-79) affecting the Mattermost Confluence plugin in versions prior to 1.7.0. The flaw arises from the plugin's failure to properly escape user-controlled display names during HTML template rendering, enabling the injection of malicious content.

Authenticated Confluence users with low privileges can exploit this vulnerability by crafting a malicious display name and sharing a specially crafted OAuth2 connection link with victims. When a victim visits the link, the attacker's display name is rendered without sanitization, allowing arbitrary JavaScript execution in the victim's browser. The CVSS v3.1 base score is 7.7 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N), reflecting network accessibility, high attack complexity, required user interaction, and high impacts on confidentiality and integrity with changed scope.

Mattermost Advisory MMSA-2025-00557 provides details on the issue, with mitigation available via upgrade to Confluence plugin version 1.7.0 or later. Additional guidance is available at https://mattermost.com/security-updates.