Lucene search
+L

362 matches found

snyk
snyk
added 2026/06/24 3:18 p.m.5 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection due to build operations being performed on the Jenkins controller instead of the assigned agent. An attacker can execute arbitrary code on the Jenkins controller by obtaining Item/Configure permission. Remediati...

9.2CVSS6.2AI score0.0042EPSS
Exploits0References2
nvd
nvd
added 2026/06/24 2:17 p.m.10 views

CVE-2026-57301

Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller...

8.8CVSS0.0042EPSS
Exploits0References1
euvd
euvd
added 2026/06/24 1:20 p.m.10 views

EUVD-2026-38782

Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller...

8.8CVSS6.3AI score0.0042EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/06/24 1:20 p.m.6 views

CVE-2026-57296

Jenkins External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided to the exwsAllocate Pipeline step, allowing attackers with Item/Configure permission to read arbitrary files on the Jenkins controller file system, which can...

8.8CVSS6.3AI score0.00595EPSS
Exploits0References2
cve
cve
added 2026/06/24 1:20 p.m.19 views

CVE-2026-57296

CVE-2026-57296 - Jenkins External Workspace Manager Plugin : Affected: Jenkins External Workspace Manager Plugin 1.3.2 and earlier. Description: the exwsAllocate pipeline step accepts a custom workspace path without rejecting path traversal sequences, enabling attackers with Item/Configure permis...

8.8CVSS6.3AI score0.00595EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/06/24 1:20 p.m.7 views

CVE-2026-57293

An incorrect permission check in Jenkins Gitee Plugin 1288.v18bdebc9069b and earlier allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to enumerate credentials IDs of credentials stored in Jenkins...

4.3CVSS5.9AI score0.0017EPSS
Exploits0References2
redhatcve
redhatcve
added 2026/06/05 7:46 p.m.9 views

CVE-2026-42524

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

8CVSS5.5AI score0.00281EPSS
Exploits0References1
github
github
added 2026/04/29 3:30 p.m.16 views

Jenkins HTML Publisher Plugin has a XSS vulnerability in the legacy wrapper file

Jenkins HTML Publisher Plugin versoins 427 and earlier do not escape the job name and URL in the legacy wrapper file. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. HTML Publisher Plugin 427.1 escapes job name and URL when...

8CVSS5.9AI score0.00281EPSS
Exploits0References3Affected Software1
github
github
added 2026/04/29 3:30 p.m.9 views

Jenkins Matrix Authorization Strategy Plugin: Unsafe deserialization allows invocation of parameterless constructors

Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 both inclusive invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated. This can be abused by attackers with...

6.5CVSS5.9AI score0.00246EPSS
Exploits0References3Affected Software1
nvd
nvd
added 2026/04/29 2:16 p.m.7 views

CVE-2026-42524

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

8CVSS0.00281EPSS
Exploits0References1
osv
osv
added 2026/04/29 2:16 p.m.2 views

CVE-2026-42524

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

8CVSS5.8AI score
Exploits0References1
euvd
euvd
added 2026/04/29 1:31 p.m.6 views

EUVD-2026-26226

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

8CVSS4.8AI score0.00281EPSS
Exploits0References1
alpinelinux
alpinelinux
added 2026/04/29 1:31 p.m.7 views

CVE-2026-42524

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

8CVSS5.9AI score0.00281EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/04/29 1:31 p.m.5 views

CVE-2026-42521

Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 both inclusive invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure...

6.5CVSS5.4AI score0.00246EPSS
Exploits0References2Affected Software1
alpinelinux
alpinelinux
added 2026/04/29 1:31 p.m.8 views

CVE-2026-42521

Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 both inclusive invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure...

6.5CVSS5.9AI score0.00246EPSS
Exploits0References1
ptsecurity
ptsecurity
added 2026/04/29 12:0 a.m.10 views

PT-2026-35918

Name of the Vulnerable Software and Affected Versions Jenkins HTML Publisher Plugin versions prior to 428 Description Stored cross-site scripting XSS occurs because the legacy wrapper file fails to escape the job name and URL. This allows attackers with Item/Configure permissions to execute...

8CVSS6AI score0.00281EPSS
Exploits0References7
ptsecurity
ptsecurity
added 2026/04/29 12:0 a.m.10 views

PT-2026-35915

Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 both inclusive invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure...

6.5CVSS5.4AI score0.00246EPSS
Exploits0References1
snyk
snyk
added 2026/03/18 6:31 p.m.9 views

UNIX Symbolic Link (Symlink) Following

Overview org.jenkins-ci.main:jenkins-core is an open source automation server. Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following during the extraction of .tar and .tar.gz archives when symbolic links are present. An attacker can create or overwrite arbitrary...

8.8CVSS5.9AI score0.01161EPSS
Exploits0References3
redhatcve
redhatcve
added 2025/12/17 8:7 a.m.9 views

CVE-2025-67641

Jenkins Coverage Plugin 2.3054.ve1ff7baa123b and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI, allowing attackers with Item/Configure permission to use a javascript: scheme URL as identifier ...

8CVSS6AI score0.00262EPSS
Exploits0References1
veracode
veracode
added 2025/12/13 4:26 a.m.12 views

Arbitrary Code Execution

Jenkins Templating Engine Plugin is vulnerable to Arbitrary Code Execution. The vulnerability is due to libraries defined in folders not being subject to sandbox protection, allowing attackers with Item/Configure permission to execute arbitrary code in the Jenkins controller JVM...

8.8CVSS6.2AI score0.01171EPSS
Exploits1References3Affected Software1
Rows per page
Query Builder