EUVD-2026-36019

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled config.xml submission in a way that allows them to handle HTTP requests afterwards. This can be used to...

CVE-2026-53435

CVE-2026-53435 affects Jenkins 2.567 and earlier, and LTS 2.555.2 and earlier. The issue arises from deserializing arbitrary types defined in Jenkins core or plugins from an attacker-controlled config.xml submission, enabling attackers to handle HTTP requests after exploitation. Impact stated in ...

GHSA-QV6F-RCV6-6Q3X Improper handling of REST API XML deserialization errors in Jenkins

Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS 2.263.1 and earlier stores invalid object references created through these endpoints in the Old Data Monitor. If an administrator discards t...

GHSA-WFW7-6632-XCV2 Jenkins CLI Deserialization of Untrusted Data vulnerability

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-.jar file and the "Groovy variant in ysoserial"...