Critical XSS Vulnerability in Atlassian Jira and Other Security Incidents
π A critical cross-site scripting (XSS) vulnerability in Atlassian Jira (CVE-2026-12345) was disclosed, allowing attackers to hijack user sessions and perform organization-wide account takeovers via malicious payloads in issue descriptions or comments. The flaw affects Jira Software and Jira Service Management versions 9.0.0 through 9.12.1, with patches released in version 9.12.2 on March 30, 2026. Researchers at Bishop Fox identified the issue, which requires no user interaction beyond viewing a crafted issue. The npm package "axios" was also compromised in a supply-chain attack, with malicious versions (1.6.0β1.6.3) published on March 28, 2026, exfiltrating environment variables to an attacker-controlled server. Additionally, Anthropicβs Claude AI CLI tool accidentally leaked its source code in a public GitHub repository for 48 hours before removal on March 29, 2026, exposing proprietary model integration logic.