48 matches found
CVE-2026-53438
A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view...
PT-2026-48423
Name of the Vulnerable Software and Affected Versions Jenkins versions prior to 2.568 Jenkins LTS versions prior to 2.555.3 Description A missing permission check allows attackers who possess the Item/Cancel permission, but lack the Item/Read permission, to cancel queue items that they are not...
CVE-2026-33001
Jenkins 2.554 and earlier (including LTS 2.541.2) is affected by CVE-2026-33001 due to unsafe handling of symbolic links during extraction of .tar/.tar.gz archives, causing arbitrary file writes on the filesystem. Exploitation is possible by attackers with Item/Configure permission or those who c...
CVE-2025-67637
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...
Directus is Vulnerable to Stored Cross-site Scripting
Summary A stored cross-site scripting XSS vulnerability exists that allows users with upload files and edit item permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy CSP restrictions by combining file uploads with iframe srcdo...
CVE-2025-64747 Directus Vulnerable to Stored Cross-site Scripting
Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting XSS vulnerability exists in versions prior to 11.13.0 that allows users with upload files and edit item permissions to inject malicious JavaScript through the Block Editor interface...
CVE-2025-64747 Directus Vulnerable to Stored Cross-site Scripting
Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting XSS vulnerability exists in versions prior to 11.13.0 that allows users with upload files and edit item permissions to inject malicious JavaScript through the Block Editor interface...
PT-2025-46912
Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.13.0 Description Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting XSS issue exists that allows users with upload files and edit item permissions to...
CVE-2025-64140
Jenkins Azure CLI Plugin 0.9 and earlier does not restrict which commands it executes on the Jenkins controller, allowing attackers with Item/Configure permission to execute arbitrary shell commands...
EUVD-2025-10358
Malicious code in bioql PyPI...
CVE-2025-53652
Jenkins Git Parameter Plugin 439.vb0e46ca14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values into Git parameters...
CVE-2022-34183
Jenkins Agent Server Parameter Plugin 1.1 and earlier does not escape the name and description of Agent Server parameters on views displaying parameters, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...
CVE-2025-28409
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the add method of the /add/parentId endpoint does not properly validate whether the requesting user has permission to add a menu item under the specified parentId...
CVE-2024-52550
Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main Jenkinsfile script for a rebuilt build is approved, allowing attackers with Item/Build permission to rebuild a previous build whose Jenkinsfile script is no longer approv...
jenkins: Item creation restriction bypass vulnerability
A flaw was found in Jenkins. When attempting to create an item prohibited by ACLhasCreatePermission2 or TopLevelItemDescriptorisApplicableInItemGroup through the Jenkins CLI or the REST API, if either of these checks fail, Jenkins creates the item in memory and only deletes it from disk. This may...
Jenkins Report Info Plugin Path Traversal vulnerability
Jenkins Report Info Plugin 1.2 and earlier does not perform path validation of the workspace directory while serving report files. Additionally, Report Info Plugin does not support distributed builds. This results in a path traversal vulnerability, allowing attackers with Item/Configure permissio...
Design/Logic Flaw
Jenkins HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller, allowing attackers with Item/Configure permission to determine whether a path on the Jenkins controller file system exists, without being able to...
BIT-JENKINS-2023-27902
Jenkins LTS 2.375.3 and earlier shows temporary directories related to job workspaces, which allows attackers with Item/Workspace permission to access their contents...
CVE-2024-23900
CVE-2024-23900 affects Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier. The flaw: the plugin does not sanitize user-defined axis names for multi-configuration projects, allowing attackers with Item/Configure permission to write or replace config.xml files on the Jenkins controller fi...
Jenkins does not exclude sensitive build variables from search
Jenkins allows filtering builds in the build history widget by specifying an expression that searches for matching builds by name, description, parameter values, etc. Jenkins 2.50 through 2.423 both inclusive, LTS 2.60.1 through 2.414.1 both inclusive does not exclude sensitive build variables...