Filtered by vendor Jenkins
Subscribe
Total
1775 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-27100 | 1 Jenkins | 1 Jenkins | 2026-06-17 | N/A | 4.3 MEDIUM |
| Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name. | |||||
| CVE-2026-27099 | 1 Jenkins | 1 Jenkins | 2026-06-17 | N/A | 8.0 HIGH |
| Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission. | |||||
| CVE-2025-67643 | 1 Jenkins | 1 Redpen - Pipeline Reporter For Jira | 2026-06-17 | N/A | 4.3 MEDIUM |
| Jenkins Redpen - Pipeline Reporter for Jira Plugin 1.054.v7b_9517b_6b_202 and earlier does not correctly perform path validation of the workspace directory while uploading artifacts to Jira, allowing attackers with Item/Configure permission to retrieve files present on the Jenkins controller workspace directory. | |||||
| CVE-2025-67642 | 1 Jenkins | 1 Hashicorp Vault | 2026-06-17 | N/A | 4.3 MEDIUM |
| Jenkins HashiCorp Vault Plugin 371.v884a_4dd60fb_6 and earlier does not set the appropriate context for Vault credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Vault credentials they are not entitled to. | |||||
| CVE-2025-67641 | 1 Jenkins | 1 Coverage | 2026-06-17 | N/A | 5.4 MEDIUM |
| Jenkins Coverage Plugin 2.3054.ve1ff7b_a_a_123b_ and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI, allowing attackers with Item/Configure permission to use a `javascript:` scheme URL as identifier by configuring the job through the REST API, resulting in a stored cross-site scripting (XSS) vulnerability. | |||||
| CVE-2025-67640 | 1 Jenkins | 1 Git Client | 2026-06-17 | N/A | 5.0 MEDIUM |
| Jenkins Git client Plugin 6.4.0 and earlier does not not correctly escape the path to the workspace directory as part of an argument in a temporary shell script generated by the plugin, allowing attackers able to control the workspace directory name to inject arbitrary OS commands. | |||||
| CVE-2025-67639 | 1 Jenkins | 1 Jenkins | 2026-06-17 | N/A | 3.5 LOW |
| A cross-site request forgery (CSRF) vulnerability in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers to trick users into logging in to the attacker's account. | |||||
| CVE-2025-67638 | 1 Jenkins | 1 Jenkins | 2026-06-17 | N/A | 4.3 MEDIUM |
| Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not mask build authorization tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | |||||
| CVE-2025-67637 | 1 Jenkins | 1 Jenkins | 2026-06-17 | N/A | 4.3 MEDIUM |
| Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
| CVE-2025-67636 | 1 Jenkins | 1 Jenkins | 2026-06-17 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to view encrypted password values in views. | |||||
| CVE-2025-67635 | 1 Jenkins | 1 Jenkins | 2026-06-17 | N/A | 7.5 HIGH |
| Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service. | |||||
| CVE-2025-64150 | 1 Jenkins | 1 Publish To Bitbucket | 2026-06-17 | N/A | 5.4 MEDIUM |
| A missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2025-64149 | 1 Jenkins | 1 Publish To Bitbucket | 2026-06-17 | N/A | 5.4 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2025-64148 | 1 Jenkins | 1 Publish To Bitbucket | 2026-06-17 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2025-64147 | 1 Jenkins | 1 Curseforge Publisher | 2026-06-17 | N/A | 4.3 MEDIUM |
| Jenkins Curseforge Publisher Plugin 1.0 does not mask API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | |||||
| CVE-2025-64146 | 1 Jenkins | 1 Curseforge Publisher | 2026-06-17 | N/A | 4.3 MEDIUM |
| Jenkins Curseforge Publisher Plugin 1.0 stores API Keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system. | |||||
| CVE-2025-64145 | 1 Jenkins | 1 Byteguard Build Actions | 2026-06-17 | N/A | 4.3 MEDIUM |
| Jenkins ByteGuard Build Actions Plugin 1.0 does not mask API tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | |||||
| CVE-2025-64144 | 1 Jenkins | 1 Byteguard Build Actions | 2026-06-17 | N/A | 4.3 MEDIUM |
| Jenkins ByteGuard Build Actions Plugin 1.0 stores API tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system. | |||||
| CVE-2025-64143 | 1 Jenkins | 1 Openshift Pipeline | 2026-06-17 | N/A | 4.3 MEDIUM |
| Jenkins OpenShift Pipeline Plugin 1.0.57 and earlier stores authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system. | |||||
| CVE-2025-64142 | 1 Jenkins | 1 Nexus Task Runner | 2026-06-17 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | |||||