Jenkins LTS < 2.555.3 / Jenkins weekly < 2.568 Multiple Vulnerabilities

🗓️ 10 Jun 2026 00:00:00Reported by TenableType

Jenkins older than 2.555.3 LTS or 2.568 weekly has multiple vulnerabilities including cross site scripting, deserialization, phishing redirects, and permission bypass.

Reporter	Title	Published	Views	Family All 57
AlpineLinux	CVE-2026-53435	10 Jun 202613:05	–	alpinelinux
AlpineLinux	CVE-2026-53436	10 Jun 202613:05	–	alpinelinux
AlpineLinux	CVE-2026-53437	10 Jun 202613:05	–	alpinelinux
AlpineLinux	CVE-2026-53438	10 Jun 202613:05	–	alpinelinux
AlpineLinux	CVE-2026-53439	10 Jun 202613:06	–	alpinelinux
AlpineLinux	CVE-2026-53440	10 Jun 202613:06	–	alpinelinux
AlpineLinux	CVE-2026-53442	10 Jun 202613:06	–	alpinelinux
Circl	CVE-2026-53438	10 Jun 202614:59	–	circl
Circl	CVE-2026-53439	10 Jun 202615:07	–	circl
Circl	CVE-2026-53441	10 Jun 202615:35	–	circl

Source	Link
jenkins	www.jenkins.io/security/advisory/2026-06-10
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(320383);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/10");

  script_cve_id(
    "CVE-2026-53435",
    "CVE-2026-53436",
    "CVE-2026-53437",
    "CVE-2026-53438",
    "CVE-2026-53439",
    "CVE-2026-53440",
    "CVE-2026-53441",
    "CVE-2026-53442"
  );
  script_xref(name:"JENKINS", value:"2026-06-10");

  script_name(english:"Jenkins LTS < 2.555.3 / Jenkins weekly < 2.568 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"An application running on a remote web server host is affected by multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins
LTS prior to 2.555.3 or Jenkins weekly prior to 2.568. It is, therefore, affected by multiple vulnerabilities:

  - Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape
    the user-provided description of a generic offline cause that could be set through the `POST config.xml`
    API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with
    Agent/Configure permission. (CVE-2026-53441)

  - In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins
    deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml`
    submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate
    any user and send HTTP requests on their behalf, up to and including use of the Script Console to run
    arbitrary code, or to read arbitrary files from the Jenkins controller. (CVE-2026-53435)

  - Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login
    is legitimately pointing to Jenkins when it contains relative path segments (`./` or `../`), allowing
    attackers to perform phishing attacks. (CVE-2026-53436)

  - Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login
    is legitimately pointing to Jenkins when it contains tab or newline characters between `//`, allowing
    attackers to perform phishing attacks. (CVE-2026-53437)

  - A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with
    Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have
    permission to view. (CVE-2026-53438)

  - Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with
    Overall/Read permission to determine other users' configured timezone and to enumerate view names of other
    users' My Views. (CVE-2026-53439)

  - Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the from parameter in the
    Delegate to servlet container security realm is safe to redirect to after login, allowing attackers to
    perform phishing attacks by redirecting users to an attacker-controlled domain. (CVE-2026-53440)

  - Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml
    submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins
    controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins
    controller file system. (CVE-2026-53442)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://jenkins.io/security/advisory/2026-06-10");
  script_set_attribute(attribute:"solution", value:
"Upgrade Jenkins weekly to version 2.568 or later, or Jenkins LTS to version 2.555.3 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-53441");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2026-53435");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/06/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/06/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/10");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cloudbees:jenkins");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:jenkins:jenkins");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("jenkins_detect.nasl", "jenkins_win_installed.nbin", "jenkins_nix_installed.nbin", "macosx_jenkins_installed.nbin");
  script_require_keys("installed_sw/Jenkins");

  exit(0);
}

include('vcf_extras.inc');

var constraints = [
  { 'max_version' : '2.567', 'fixed_version' : '2.568', 'edition' : 'Open Source' },
  { 'max_version' : '2.555.2', 'fixed_version' : '2.555.3', 'edition' : 'Open Source LTS' }
];

var app_info = vcf::combined_get_app_info(app:'Jenkins');

vcf::jenkins::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_HOLE,
    flags:{'xss':TRUE}
);

10 Jun 2026 00:00Current

5.5Medium risk

Vulners AI Score5.5

CVSS 3.18.8

EPSS0.00054

SSVC