Aggregates CVE and security vulnerability intelligence across all Jenkins-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk xxe and vendor risk input validation and related problems; some flaws may lead to vendor impact session compromise, affecting vendor surface build workflows scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-9674 | A cross-site request forgery (CSRF) vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6b_b_d and earlier allows attackers to resume failed Multijob builds. | [email protected] | 4.3 | 0.01% | 2026-05-27 | 2026-05-28 |
| CVE-2026-48927 | Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the build URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or views. | [email protected] | 5.5 | 0.03% | 2026-05-27 | 2026-05-28 |
| CVE-2026-48926 | Jenkins Job Import Plugin 143.v044a_2e819b_27 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | [email protected] | 4.3 | 0.03% | 2026-05-27 | 2026-06-02 |
| CVE-2026-48924 | Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks. | [email protected] | 4.3 | 0.03% | 2026-05-27 | 2026-05-28 |
| CVE-2026-48923 | Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL. | [email protected] | 4.3 | 0.03% | 2026-05-27 | 2026-05-28 |
| CVE-2026-48922 | Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node. | [email protected] | 7.5 | 1.77% | 2026-05-27 | 2026-05-28 |
| CVE-2026-48921 | Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem. | [email protected] | 7.5 | 0.36% | 2026-05-27 | 2026-05-28 |
| CVE-2026-48920 | Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute, without restrictions on the image URLs that can be inlined, allowing attackers able to control the email content to specify `file:` URLs for images to read arbitrary files from the Jenkins controller filesystem. | [email protected] | 8.8 | 0.40% | 2026-05-27 | 2026-05-28 |
| CVE-2026-48919 | Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation. | [email protected] | 6.6 | 1.30% | 2026-05-27 | 2026-05-28 |
| CVE-2026-48918 | Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals by default. | [email protected] | 6.6 | 0.26% | 2026-05-27 | 2026-05-28 |
| CVE-2026-48917 | Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation. | [email protected] | 6.6 | 0.05% | 2026-05-27 | 2026-06-02 |
| CVE-2026-48916 | Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals. | [email protected] | 6.6 | 0.04% | 2026-05-27 | 2026-06-02 |
| CVE-2026-42525 | Jenkins Microsoft Entra ID (previously Azure AD) Plugin 666.v6060de32f87d and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks. | [email protected] | 4.3 | 0.03% | 2026-04-29 | 2026-05-05 |
| CVE-2026-42524 | Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | [email protected] | 8.0 | 0.05% | 2026-04-29 | 2026-05-05 |
| CVE-2026-42523 | Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission. | [email protected] | 9.0 | 0.04% | 2026-04-29 | 2026-05-05 |
| CVE-2026-42522 | A missing permission check in Jenkins GitHub Branch Source Plugin 1967.vdea_d580c1a_b_a_ and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials. | [email protected] | 4.3 | 0.03% | 2026-04-29 | 2026-05-06 |
| CVE-2026-42521 | Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure permission to instantiate arbitrary types, which may lead to information disclosure or other impacts depending on the classes available on the classpath. | [email protected] | 6.5 | 0.07% | 2026-04-29 | 2026-05-06 |
| CVE-2026-42520 | Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node. | [email protected] | 7.5 | 2.74% | 2026-04-29 | 2026-05-06 |
| CVE-2026-42519 | A missing permission check in Jenkins Script Security Plugin 1399.ve6a_66547f6e1 and earlier allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths. | [email protected] | 4.3 | 0.11% | 2026-04-29 | 2026-05-06 |
| CVE-2026-33004 | Jenkins LoadNinja Plugin 2.1 and earlier does not mask LoadNinja API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | [email protected] | 4.3 | 0.02% | 2026-03-18 | 2026-03-21 |