CVE-2025-67641

creationtimestamp| type| source ---|---|--- 2025-12-10 21:05:14+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3m7nxlacms62y...

io.jenkins.plugins:coverage-badges-extension (>=157.vf5d725246222 <=197.vb_390173d00ec) potentially affected by CVE-2025-67641 via io.jenkins.plugins:coverage (>=2.1.0 <=2.2941.v08df75b_767f1)

io.jenkins.plugins:coverage MAVEN version =2.1.0, =157.vf5d725246222, =197.vb390173d00ec Source cves: CVE-2025-67641 Source advisory: SNYK:JAVA-IOJENKINSPLUGINS-14383149...

io.jenkins.plugins:autograding (=4.2.0), io.jenkins.plugins:code-coverage-api (=4.99.0) +2 more potentially affected by CVE-2025-67641 via io.jenkins.plugins:coverage (>=1.10.0 <=2.2941.v08df75b_767f1)

io.jenkins.plugins:coverage MAVEN version =1.10.0, =-rc6.886d29ff0f4d, =67.v35d155a1ffdf, =79.v78d40e1fc27e Source cves: CVE-2025-67641 Source advisory: OSV:GHSA-V3F3-RF6R-43X5...

CVE-2025-67641

Jenkins Coverage Plugin 2.3054.ve1ff7baa123b and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI, allowing attackers with Item/Configure permission to use a javascript: scheme URL as identifier ...