Filtered by vendor Jenkins
Subscribe
Total
1775 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-48923 | 1 Jenkins | 1 Appspider | 2026-05-28 | N/A | 4.3 MEDIUM |
| Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL. | |||||
| CVE-2026-48924 | 1 Jenkins | 1 Bitbucket Oauth | 2026-05-28 | N/A | 4.3 MEDIUM |
| Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks. | |||||
| CVE-2026-48927 | 1 Jenkins | 1 Buildgraph-view | 2026-05-28 | N/A | 5.5 MEDIUM |
| Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the build URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or views. | |||||
| CVE-2026-9674 | 1 Jenkins | 1 Multijob | 2026-05-28 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6b_b_d and earlier allows attackers to resume failed Multijob builds. | |||||
| CVE-2026-42519 | 1 Jenkins | 1 Script Security | 2026-05-06 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Script Security Plugin 1399.ve6a_66547f6e1 and earlier allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths. | |||||
| CVE-2026-42520 | 1 Jenkins | 1 Credentials Binding | 2026-05-06 | N/A | 7.5 HIGH |
| Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node. | |||||
| CVE-2026-42521 | 1 Jenkins | 1 Matrix Authorization Strategy | 2026-05-06 | N/A | 6.5 MEDIUM |
| Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure permission to instantiate arbitrary types, which may lead to information disclosure or other impacts depending on the classes available on the classpath. | |||||
| CVE-2026-42522 | 1 Jenkins | 1 Github Branch Source | 2026-05-06 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins GitHub Branch Source Plugin 1967.vdea_d580c1a_b_a_ and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials. | |||||
| CVE-2026-42524 | 1 Jenkins | 1 Html Publisher | 2026-05-05 | N/A | 8.0 HIGH |
| Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2026-42523 | 1 Jenkins | 1 Github | 2026-05-05 | N/A | 9.0 CRITICAL |
| Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission. | |||||
| CVE-2026-42525 | 1 Jenkins | 1 Azure Ad | 2026-05-05 | N/A | 4.3 MEDIUM |
| Jenkins Microsoft Entra ID (previously Azure AD) Plugin 666.v6060de32f87d and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks. | |||||
| CVE-2026-33002 | 1 Jenkins | 1 Jenkins | 2026-03-21 | N/A | 7.5 HIGH |
| Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation. | |||||
| CVE-2026-33003 | 1 Jenkins | 1 Loadninja | 2026-03-21 | N/A | 4.3 MEDIUM |
| Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
| CVE-2026-33004 | 1 Jenkins | 1 Loadninja | 2026-03-21 | N/A | 4.3 MEDIUM |
| Jenkins LoadNinja Plugin 2.1 and earlier does not mask LoadNinja API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | |||||
| CVE-2026-33001 | 1 Jenkins | 1 Jenkins | 2026-03-20 | N/A | 8.8 HIGH |
| Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes. | |||||