EUVD-2026-12845

Jenkins 2.442 through 2.554 both inclusive, LTS 2.426.3 through LTS 2.541.2 both inclusive performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable t...

CVE-2026-33002

Jenkins 2.442–2.554 and LTS 2.426.3–2.541.2 are affected. The CLI WebSocket origin validation uses the Host or X-Forwarded-Host header to compute the expected origin, enabling DNS rebinding attacks to bypass origin validation. This does not specify exploits or fixes in the provided documents. Aff...

CVE-2026-33002

Jenkins 2.442 through 2.554 both inclusive, LTS 2.426.3 through LTS 2.541.2 both inclusive performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable t...

CVE-2026-33002

Jenkins 2.442 through 2.554 both inclusive, LTS 2.426.3 through LTS 2.541.2 both inclusive performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable t...

PT-2026-26074

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.442 through 2.554 Jenkins LTS versions 2.426.3 through 2.541.2 Description The software does not properly validate the origin of requests made through the CLI WebSocket endpoint. It calculates the expected origin using the...

CVE-2026-27100

Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds,...

CVE-2026-27099

Jenkins 2.483 through 2.550 both inclusive, LTS 2.492.1 through 2.541.1 both inclusive does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Agent/Configure or...

CVE-2026-27099

Jenkins 2.483 through 2.550 both inclusive, LTS 2.492.1 through 2.541.1 both inclusive does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Agent/Configure or...

PT-2026-20433

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.483 through 2.550 Jenkins LTS versions 2.492.1 through 2.541.1 Description The application does not properly sanitize user-supplied data within the description field of the "Mark temporarily offline" functionality. This can...

BIT-JENKINS-2025-67639

A cross-site request forgery CSRF vulnerability in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers to trick users into logging in to the attacker's account...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +1887 more potentially affected by CVE-2025-67639 via org.jenkins-ci.main:jenkins-core (>=1.396 <=2.528.2)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.0.1, =1.0, =55.v51410e712e0c, =1.0, =0.0.1, =0.1.0, =1.0, =0.9, =1.3, =1.23 and more Source cves: CVE-2025-67639 Source advisory: OSV:GHSA-6837-QGRC-X5P6...

CVE-2025-67637

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

CVE-2025-67638

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not mask build authorization tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them...

CVE-2025-67639

A cross-site request forgery CSRF vulnerability in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers to trick users into logging in to the attacker's account...

CVE-2025-67638

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not mask build authorization tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them...

CVE-2025-67635

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service...

Jenkins 安全漏洞

Jenkins is a Jenkins open source application. An open source automation server Jenkins provides hundreds of plugins to support building, deploying and automating any project. A security vulnerability exists in Jenkins 2.540 and earlier and LTS 2.528.2 and earlier, which stems from unencrypted...

PT-2025-50357

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.540 and earlier Jenkins LTS versions 2.528.2 and earlier Description A cross-site request forgery CSRF issue exists in Jenkins that could allow an attacker to trick users into logging in to the attacker’s account. A CSRF...

PT-2025-50355

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.540 and earlier Jenkins LTS versions 2.528.2 and earlier Description Jenkins stores build authorization tokens unencrypted in config.xml files on the Jenkins controller. This allows users with Item/Extended Read permission, ...

EUVD-2022-5981

Malicious code in bioql PyPI...