CVE-2026-57302

Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system...

CVE-2026-57302

Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system...

CVE-2026-57302

CVE-2026-57302 affects the Jenkins FitNesse Plugin, specifically version 1.36 and earlier. The root cause is unencrypted password storage in the job config.xml files on the Jenkins controller, enabling disclosure to users with Extended Read permission or anyone with access to the controller files...

EUVD-2026-38783

Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system...

Command Injection

org.fitnesse:fitnesse is vulnerable to Command Injection. The vulnerability is due to improper validation of user-supplied input, which allows a remote authenticated attacker to inject and execute arbitrary operating system commands...

EUVD-2022-4606

Malicious code in bioql PyPI...

EUVD-2024-25275

Malicious code in bioql PyPI...

EUVD-2024-1037

Malicious code in bioql PyPI...

EUVD-2024-3297

Malicious code in bioql PyPI...

EUVD-2024-3373

Malicious code in bioql PyPI...

CVE-2024-23604

Cross-site scripting vulnerability exists in FitNesse all releases, which may allow a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with specially crafted multiple parameters...

CVE-2024-28128

Cross-site scripting vulnerability exists in FitNesse releases prior to 20220319, which may allow a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with a specially crafted certain parameter...

CVE-2024-28125

FitNesse all releases allows a remote authenticated attacker to execute arbitrary OS commands. Note: A contributor of FitNesse has claimed that this is not a vulnerability but a product specification and this is currently under further investigation...

CVE-2024-42499

Improper limitation of a pathname to a restricted directory 'Path Traversal' issue exists in FitNesse releases prior to 20241026. If this vulnerability is exploited, an attacker may be able to know whether a file exists at a specific path, and/or obtain some part of the file contents under specif...

CVE-2024-39610

Cross-site scripting vulnerability exists in FitNesse releases prior to 20241026. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is using the product...

CVE-2020-2120

Jenkins FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity XXE attacks...

com.elega9t:fitnesse-params (=0.0.1), com.github.andreptb:fitnesse-maven-runner-plugin (>=0.2.0 <=0.2.1) +69 more potentially affected by CVE-2024-42499 via org.fitnesse:fitnesse (>=20050731 <=20240707)

org.fitnesse:fitnesse MAVEN version =20050731, =0.2.0, =0.1.0, =BETA-V1.00, =1.0.6, =1.0.0, =1.0.0, =1.2.1, =1.0.1, =1.1.0, =1.0.0, =1.0.0, =1.6.0, =1.6.5 and more Source cves: CVE-2024-42499 Source advisory: OSV:GHSA-Q297-5FF8-HC92...

com.elega9t:fitnesse-params (=0.0.1), com.github.andreptb:fitnesse-maven-runner-plugin (>=0.2.0 <=0.2.1) +69 more potentially affected by CVE-2024-39610 via org.fitnesse:fitnesse (>=20050731 <=20240707)

org.fitnesse:fitnesse MAVEN version =20050731, =0.2.0, =0.1.0, =BETA-V1.00, =1.0.6, =1.0.0, =1.0.0, =1.2.1, =1.0.1, =1.1.0, =1.0.0, =1.0.0, =1.6.0, =1.6.5 and more Source cves: CVE-2024-39610 Source advisory: OSV:GHSA-PG82-9W35-3W3R...

GHSA-PG82-9W35-3W3R FitNesse Cross-site scripting

Cross-site scripting vulnerability exists in FitNesse releases prior to 20241026. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is using the product...

GHSA-Q297-5FF8-HC92 FitNesse Path Traversal

Improper limitation of a pathname to a restricted directory 'Path Traversal' issue exists in FitNesse releases prior to 20241026. If this vulnerability is exploited, an attacker may be able to know whether a file exists at a specific path, and/or obtain some part of the file contents under specif...