Jenkins: Security Vulnerabilities
Jenkins Job Import Plugin 143.v044a_2e819b_27 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVSS Score
4.3
EPSS Score
0.002
Published
2026-05-27
Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the build URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or views.
CVSS Score
5.5
EPSS Score
0.002
Published
2026-05-27
Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals.
CVSS Score
6.6
EPSS Score
0.003
Published
2026-05-27
Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation.
CVSS Score
6.6
EPSS Score
0.003
Published
2026-05-27
Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals by default.
CVSS Score
6.6
EPSS Score
0.002
Published
2026-05-27
Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation.
CVSS Score
6.6
EPSS Score
0.003
Published
2026-05-27
Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute, without restrictions on the image URLs that can be inlined, allowing attackers able to control the email content to specify `file:` URLs for images to read arbitrary files from the Jenkins controller filesystem.
CVSS Score
8.8
EPSS Score
0.003
Published
2026-05-27
Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.
CVSS Score
7.5
EPSS Score
0.003
Published
2026-05-27
Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.
CVSS Score
7.5
EPSS Score
0.004
Published
2026-05-27
Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL.
CVSS Score
4.3
EPSS Score
0.002
Published
2026-05-27