Lucene search
K

105 matches found

OSV
OSV
added 2026/06/12 8:43 a.m.5 views

BIT-JENKINS-2026-53440

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled domain...

4.3CVSS5.3AI score0.00239EPSS
Exploits0References2
OSV
OSV
added 2026/06/12 8:43 a.m.5 views

BIT-JENKINS-2026-53437

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between //, allowing attackers to perform phishing attacks...

7.4CVSS5.4AI score0.00364EPSS
Exploits0References2
NVD
NVD
added 2026/06/10 2:16 p.m.10 views

CVE-2026-53442

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to t...

5.3CVSS0.0019EPSS
Exploits0References1
NVD
NVD
added 2026/06/10 2:16 p.m.10 views

CVE-2026-53437

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between //, allowing attackers to perform phishing attacks...

7.4CVSS0.00364EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/10 1:6 p.m.10 views

EUVD-2026-36026

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to t...

5.3CVSS5.5AI score0.0019EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/10 1:6 p.m.9 views

EUVD-2026-36025

Jenkins 2.483 through 2.567 both inclusive, LTS 2.492.1 through 2.555.2 both inclusive does not escape the user-provided description of a generic offline cause that could be set through the POST config.xml API, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers...

5.2AI score0.00261EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/10 1:6 p.m.9 views

EUVD-2026-36024

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled domain...

4.3CVSS5.5AI score0.00239EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/10 1:6 p.m.8 views

EUVD-2026-36023

Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views"...

4.3CVSS5.5AI score0.00234EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/10 1:6 p.m.37 views

CVE-2026-53440

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled domain...

0.00239EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/10 1:5 p.m.8 views

CVE-2026-53436

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments ./ or ../, allowing attackers to perform phishing attacks...

5.5AI score0.00282EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/18 6:31 p.m.7 views

EUVD-2026-12845

Jenkins 2.442 through 2.554 both inclusive, LTS 2.426.3 through LTS 2.541.2 both inclusive performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable t...

5.8AI score0.00297EPSS
Exploits0References2
AlpineLinux
AlpineLinux
added 2026/03/18 3:15 p.m.5 views

CVE-2026-33002

Jenkins 2.442 through 2.554 both inclusive, LTS 2.426.3 through LTS 2.541.2 both inclusive performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable t...

7.5CVSS5.8AI score0.00297EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/18 3:15 p.m.5 views

CVE-2026-33002

Jenkins 2.442 through 2.554 both inclusive, LTS 2.426.3 through LTS 2.541.2 both inclusive performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable t...

5.8AI score0.00297EPSS
Exploits0References2
CVE
CVE
added 2026/03/18 3:15 p.m.22 views

CVE-2026-33002

Summary: CVE-2026-33002 affects Jenkins WebSocket CLI origin validation. The vulnerability arises from computing the expected origin using the Host or X-Forwarded-Host headers, enabling potential DNS rebinding to bypass origin validation. Affected versions include Jenkins 2.442–2.554 and LTS 2.42...

7.5CVSS5.8AI score0.00297EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/18 12:0 a.m.5 views

PT-2026-26074

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.442 through 2.554 Jenkins LTS versions 2.426.3 through 2.541.2 Description The software does not properly validate the origin of requests made through the CLI WebSocket endpoint. It calculates the expected origin using the...

7.6CVSS6AI score0.00297EPSS
Exploits0References16
Vulnrichment
Vulnrichment
added 2026/02/18 2:17 p.m.4 views

CVE-2026-27100

Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds,...

5.5AI score0.00333EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/18 2:17 p.m.28 views

CVE-2026-27099

Jenkins 2.483 through 2.550 both inclusive, LTS 2.492.1 through 2.541.1 both inclusive does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Agent/Configure or...

0.00505EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/02/18 2:17 p.m.5 views

CVE-2026-27099

Jenkins 2.483 through 2.550 both inclusive, LTS 2.492.1 through 2.541.1 both inclusive does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Agent/Configure or...

8CVSS5.1AI score0.00505EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/02/18 12:0 a.m.6 views

PT-2026-20433

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.483 through 2.550 Jenkins LTS versions 2.492.1 through 2.541.1 Description The application does not properly sanitize user-supplied data within the description field of the "Mark temporarily offline" functionality. This can...

8.3CVSS5AI score0.00505EPSS
Exploits0References25
OSV
OSV
added 2025/12/12 11:23 a.m.5 views

BIT-JENKINS-2025-67639

A cross-site request forgery CSRF vulnerability in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers to trick users into logging in to the attacker's account...

3.5CVSS6.7AI score0.00154EPSS
Exploits0References2
Rows per page
Query Builder