Jenkins plugins Multiple Vulnerabilities (2026-05-27)

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities: - Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the build URL, resulting in a stored cross- site scripting XSS vulnerability...

RHCOS 4 : OpenShift Container Platform 4.5.4 jenkins-2-plugins (RHSA-2020:3207)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2020:3207 advisory. - jenkins-script-security-plugin: cross-site scripting vulnerability due to configure sandboxed scripts CVE-2020-2190 Note that Nessus has no...

RHCOS 3 : OpenShift Container Platform 3.11 jenkins-2-plugins (RHSA-2020:0964)

The remote Red Hat Enterprise Linux CoreOS 3 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:0964 advisory. - openshift/jenkins-plugin: Deserialization in snakeyaml YAML objects allows for remote code execution CVE-2020-2167 Note that Nessus has not...

RHCOS 4 : Red Hat OpenShift Container Platform 4.1 jenkins-2-plugins (RHSA-2019:2662)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2019:2662 advisory. - jenkins-plugin-script-security: Sandbox bypass through type casts in Script Security Plugin CVE-2019-10355 -...

RHCOS 4 : OpenShift Container Platform 4.4.z jenkins-2-plugins (RHSA-2020:2737)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:2737 advisory. - jenkins-script-security-plugin: sandbox protection bypass leads to execute arbitrary code in sandboxed scripts CVE-2019-16538 -...

RHCOS 3 : Red Hat OpenShift Container Platform 3.11 jenkins-2-plugins (RHSA-2019:2651)

The remote Red Hat Enterprise Linux CoreOS 3 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2019:2651 advisory. - jenkins-plugin-script-security: Sandbox bypass through type casts in Script Security Plugin CVE-2019-10355 -...

RHCOS 4 : OpenShift Container Platform 4.4.20 jenkins-2-plugins (RHSA-2020:3625)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:3625 advisory. - jenkins-credentials-binding-plugin: information disclosure in build log when build contains no build steps CVE-2020-2181 -...

RHCOS 4 : OpenShift Container Platform 4.7.48 (RHSA-2022:1248)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2022:1248 advisory. - workflow-cps: OS command execution through crafted SCM contents CVE-2022-25173 - workflow-cps-global-lib: OS command execution...

RHCOS 3 : OpenShift Container Platform 3.11.318 jenkins-2-plugins (RHSA-2020:5102)

The remote Red Hat Enterprise Linux CoreOS 3 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:5102 advisory. - jenkins-2-plugins/mailer: Missing hostname validation in Mailer Plugin could result in MITM CVE-2020-2252 -...

RHCOS 4 : OpenShift Container Platform 4.4.33 (RHSA-2021:0282)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:0282 advisory. - jenkins-2-plugins/subversion: XML parser is not preventing XML external entity XXE attacks CVE-2020-2304 -...

RHCOS 4 : OpenShift Container Platform 4.7.52 paackages (RHSA-2022:4909)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2022:4909 advisory. - credentials: Stored XSS vulnerabilities in jenkins plugin CVE-2022-29036 - subversion: Stored XSS vulnerabilities in Jenkins...

com.base2services.jenkins:github-sqs-plugin (>=1.0 <=1.5), com.elasticbox.jenkins-ci.plugins:elasticbox (>=4.0.9 <=4.1.6) +27 more potentially affected by CVE-2026-42523 via com.coravy.hudson.plugins.github:github (>=1.10 <=1.45.0)

com.coravy.hudson.plugins.github:github MAVEN version =1.10, =1.0, =4.0.9, =1.0-alpha-1, =1.27.17, =1.0-alpha-1, =1.0-alpha-1, =1.0.0, =1.0.0, =1.0-alpha-8, =1.0-alpha-4, =0.1-preview-4, =1.0-alpha-1, =634.v371dc6d978a3, =1.83.v5bff0e55cd2d, =1.3.0, =1.4.3 and more Source cves: CVE-2026-42523...

org.jenkins-ci.plugins:azure-ad (>=378.380.v545b_1154b_3fb_ <=457.vf85d61f83b_26), org.openshift.jenkins:openshift-login (>=1.1.0.227.v27e08dfb_1a_20 <=1.1.0.248.v1908df5c4f5e) potentially affected by CVE-2026-42521 via org.jenkins-ci.plugins:matrix-auth (>=3.1.10 <=3.2.1)

org.jenkins-ci.plugins:matrix-auth MAVEN version =3.1.10, =378.380.v545b1154b3fb, =1.1.0.227.v27e08dfb1a20, =1.1.0.248.v1908df5c4f5e Source cves: CVE-2026-42521 Source advisory: SNYK:JAVA-ORGJENKINSCIPLUGINS-16322871...

com.btc.ep:btc-embeddedplatform (>=1.9.2-beta <=2.5.9), io.jenkins.blueocean:blueocean (>=1.27.17 <=1.27.25) +8 more potentially affected by CVE-2026-42524 via org.jenkins-ci.plugins:htmlpublisher (>=1.0 <=1.6)

org.jenkins-ci.plugins:htmlpublisher MAVEN version =1.0, =1.9.2-beta, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.0.0, =1.0.18 Source cves: CVE-2026-42524 Source advisory: OSV:GHSA-F8H4-46XV-H7JJ...

au.com.versent.jenkins.plugins:ignore-committer-strategy (>=29.v7c3891a_434c3 <=57.v0756db_b_f6926), com.amazon.jenkins.fleet:ec2-fleet (>=1.0 <=4.2.3.539.v8fedff2a_81c3) +119 more potentially affected by CVE-2026-42520 via org.jenkins-ci.plugins:credentials-binding (>=1.10 <=717.v951d49b_5f3a_a_)

org.jenkins-ci.plugins:credentials-binding MAVEN version =1.10, =29.v7c3891a434c3, =1.0, =1.6, =1.4, =1.41.0, =377.vc87a13718939, =57.vde5161ec7aba, =0.17, =60.vce1b19770361, =1.0.43, =1.0.0, =1.27.25 and more Source cves: CVE-2026-42520 Source advisory: OSV:GHSA-P2RF-WPXJ-MX2G...

Jenkins plugins Multiple Vulnerabilities (2026-04-29)

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities: - High HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file. This results in a stored cross-site...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +1914 more potentially affected by CVE-2026-27100 via org.jenkins-ci.main:jenkins-core (>=1.396 <=2.541.1)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.0.1, =1.0, =55.v51410e712e0c, =1.0, =0.0.1, =0.1.0, =1.0, =0.9, =1.3, =1.23 and more Source cves: CVE-2026-27100 Source advisory: OSV:GHSA-WFHP-QGM8-5P5C...

au.com.versent.jenkins.plugins:ignore-committer-strategy (>=37.v0d3157c4a_ef8 <=57.v0756db_b_f6926), com.coravy.hudson.plugins.github:github (>=1.41.0 <=1.46.0.1) +36 more potentially affected by CVE-2025-67640 via org.jenkins-ci.plugins:git-client (>=6.1.0 <=6.4.0)

org.jenkins-ci.plugins:git-client MAVEN version =6.1.0, =37.v0d3157c4aef8, =1.41.0, =61.vf6d8f6f5ed02, =1.1.0.825.v30618768da42, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.0.0, =3.2083.vd36f32376929, =530.v38d502df428f, =634.v371dc6d978a3, =679.v74133dab435a and more...

au.com.versent.jenkins.plugins:ignore-committer-strategy (>=29.v7c3891a_434c3 <=57.v0756db_b_f6926), br.com.ingenieux.jenkins.plugins:codecommit-url-helper (=0.0.1) +150 more potentially affected by CVE-2025-67640 via org.jenkins-ci.plugins:git-client (>=1.0.2 <=6.4.0)

org.jenkins-ci.plugins:git-client MAVEN version =1.0.2, =29.v7c3891a434c3, =1.0.5.0, =1.1.0, =1.9.2-beta, =1.9, =4.0.9, =1.1.0, =1.0.0, =1.0.1, =1.1.3, =1.7.2, =1.1.0, =1.0.0, =1.1.2 and more Source cves: CVE-2025-67640 Source advisory: OSV:GHSA-V8HG-M323-JVJQ...

Jenkins plugins Multiple Vulnerabilities (2025-10-29)

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities: - Jenkins Azure CLI Plugin 0.9 and earlier does not restrict which commands it executes on the Jenkins controller, allowing attackers with...