Security Vulnerabilities
A missing permission check in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVSS Score
4.2
EPSS Score
0.001
Published
2026-06-24
Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native (ADSI) authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a matching user whose password they know without knowing their exact user name.
CVSS Score
3.7
EPSS Score
0.002
Published
2026-06-24
Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to capture the token.
CVSS Score
4.8
EPSS Score
0.001
Published
2026-06-24
A cross-site request forgery (CSRF) vulnerability in Jenkins Priority Sorter Plugin 936.v2c01c6b_84449 and earlier allows attackers to overwrite the global job priority configuration.
CVSS Score
4.3
EPSS Score
0.002
Published
2026-06-24
A missing permission check in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins.
CVSS Score
5.4
EPSS Score
0.002
Published
2026-06-24
A cross-site request forgery (CSRF) vulnerability in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins.
CVSS Score
5.4
EPSS Score
0.001
Published
2026-06-24
A missing permission check in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, API key, and service key.
CVSS Score
4.3
EPSS Score
0.002
Published
2026-06-24
Jenkins Git client Plugin 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into a generated SSH wrapper script, allowing attackers able to control the name of a build's working directory to execute arbitrary operating system commands on the agent.
CVSS Score
5.0
EPSS Score
0.002
Published
2026-06-24
A cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier allows attackers to instantiate types related to job or system configuration other than Pipeline steps through the Pipeline Snippet Generator.
CVSS Score
4.3
EPSS Score
0.002
Published
2026-06-24
Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps.
CVSS Score
4.3
EPSS Score
0.003
Published
2026-06-24