CVE-2026-42524

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

Jenkins HTML Publisher Plugin has a XSS vulnerability in the legacy wrapper file

Jenkins HTML Publisher Plugin versoins 427 and earlier do not escape the job name and URL in the legacy wrapper file. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. HTML Publisher Plugin 427.1 escapes job name and URL when...

Jenkins Matrix Authorization Strategy Plugin: Unsafe deserialization allows invocation of parameterless constructors

Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 both inclusive invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated. This can be abused by attackers with...

CVE-2026-42524

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

EUVD-2026-26226

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

CVE-2026-42524

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

CVE-2026-42524

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

CVE-2026-42521

The vulnerability CVE-2026-42521 affects Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (inclusive). The issue arises during deserialization of inheritance strategies, where parameterless constructors of classes specified in configuration are invoked without restricting whi...

CVE-2026-42521

Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 both inclusive invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure...

CVE-2026-42521

Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 both inclusive invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure...

EUVD-2026-26222

Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 both inclusive invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure...

PT-2026-35918

Name of the Vulnerable Software and Affected Versions Jenkins HTML Publisher Plugin versions prior to 428 Description Stored cross-site scripting XSS occurs because the legacy wrapper file fails to escape the job name and URL. This allows attackers with Item/Configure permissions to execute...

Jenkins HTML Publisher Plugin 跨站脚本漏洞

The Jenkins HTML Publisher Plugin is an open-source continuous integration plugin developed by Jenkins, designed for publishing and displaying HTML reports generated by builds. The Jenkins HTML Publisher Plugin versions 427 and earlier contained a cross-site scripting vulnerability. This...

PT-2026-35915

Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 both inclusive invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure...

UNIX Symbolic Link (Symlink) Following

Overview org.jenkins-ci.main:jenkins-core is an open source automation server. Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following during the extraction of .tar and .tar.gz archives when symbolic links are present. An attacker can create or overwrite arbitrary...

CVE-2026-33001

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running...

CVE-2026-33001

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running...

CVE-2023-40347

Jenkins Maven Artifact ChoiceListProvider Nexus Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to...

CVE-2025-67643

Jenkins Redpen - Pipeline Reporter for Jira Plugin 1.054.v7b9517b6b202 and earlier does not correctly perform path validation of the workspace directory while uploading artifacts to Jira, allowing attackers with Item/Configure permission to retrieve files present on the Jenkins controller workspa...

CVE-2025-67641

Jenkins Coverage Plugin 2.3054.ve1ff7baa123b and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI, allowing attackers with Item/Configure permission to use a javascript: scheme URL as identifier ...