Cross-site Scripting (XSS)

Overview org.jenkins-ci.main:jenkins-core is an open source automation server. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the description field of a generic 'offline' cause set via the POST config.xml API. An attacker with Agent/Configure permission can execut...

CVE-2026-53435

CVE-2026-53435 affects Jenkins 2.567 and earlier, including LTS 2.555.2 and earlier. The root cause is unsafe deserialization due to a deserialization sink that bypasses a ClassFilter, allowing an attacker who can POST a config.xml to deserialize arbitrary core/plugin types and reach them via HTT...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +1917 more potentially affected by CVE-2026-33001 via org.jenkins-ci.main:jenkins-core (>=1.396 <=2.554)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.0.1, =1.0, =55.v51410e712e0c, =1.0, =0.0.1, =0.1.0, =1.0, =0.9, =1.3, =1.23 and more Source cves: CVE-2026-33001 Source advisory: OSV:GHSA-R6QV-FRPC-Q66C...

appscanstandard-integration:ibm-security-appscanstandard-scanner (>=1.0 <=2.8), au.com.versent.jenkins.plugins:ignore-committer-strategy (>=55.v51410e712e0c <=57.v0756db_b_f6926) +661 more potentially affected by CVE-2026-33001 via org.jenkins-ci.main:jenkins-core (>=2.0 <=2.554)

org.jenkins-ci.main:jenkins-core MAVEN version =2.0, =1.0, =55.v51410e712e0c, =4.1.0.506.v619d63bec9d8, =66.v12c841920f7d, =109.v2c51a117a7b4, =1.155.v3d884c1bdee1, =1.281.v331e3f5a05a9, =4050.v8ba69b587c39, =4050.v8ba69b587c39, =1.0.5, =2.0.0, =2.0, =1.0.2, =1.0.0, =1.0.6 and more Source...

UNIX Symbolic Link (Symlink) Following

Overview org.jenkins-ci.main:jenkins-core is an open source automation server. Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following during the extraction of .tar and .tar.gz archives when symbolic links are present. An attacker can create or overwrite arbitrary...

DNS Rebinding

Overview org.jenkins-ci.main:jenkins-core is an open source automation server. Affected versions of this package are vulnerable to DNS Rebinding in the origin validation process for WebSocket CLI requests due to reliance on the Host or X-Forwarded-Host HTTP headers. An attacker can bypass origin...

Cross-site Scripting (XSS)

Overview org.jenkins-ci.main:jenkins-core is an open source automation server. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the UserCause function. An attacker can execute arbitrary JavaScript code in the context of other users by providing crafted input in the...

appscanstandard-integration:ibm-security-appscanstandard-scanner (>=1.0 <=2.8), au.com.versent.jenkins.plugins:ignore-committer-strategy (>=55.v51410e712e0c <=57.v0756db_b_f6926) +659 more potentially affected by CVE-2026-27100 via org.jenkins-ci.main:jenkins-core (>=2.0 <=2.541.1)

org.jenkins-ci.main:jenkins-core MAVEN version =2.0, =1.0, =55.v51410e712e0c, =4.1.0.506.v619d63bec9d8, =66.v12c841920f7d, =109.v2c51a117a7b4, =1.155.v3d884c1bdee1, =1.281.v331e3f5a05a9, =4050.v8ba69b587c39, =4050.v8ba69b587c39, =1.0.5, =2.0.0, =2.0, =1.0.2, =1.0.0, =1.0.6 and more Sou...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +1915 more potentially affected by CVE-2026-27100 via org.jenkins-ci.main:jenkins-core (>=1.396 <=2.541.1)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.0.1, =1.0, =55.v51410e712e0c, =1.0, =0.0.1, =0.1.0, =1.0, =0.9, =1.3, =1.23 and more Source cves: CVE-2026-27100 Source advisory: OSV:GHSA-WFHP-QGM8-5P5C...

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview org.jenkins-ci.main:jenkins-core is an open source automation server. Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the Run Parameter values. An attacker can access information about the existence of job...

Denial Of Service (DoS)

org.jenkins-ci.main, jenkins-core is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling and closure of corrupted HTTP-based CLI connection streams, which allows an unauthenticated attacker to trigger a denial of service by sending malformed or corrupted connection...

Cross-site Request Forgery (CSRF)

Overview org.jenkins-ci.main:jenkins-core is an open source automation server. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to missing CSRF token crumb enforcement on the HTTP endpoints handling interactive login requests. An attacker can cause users to...

appscanstandard-integration:ibm-security-appscanstandard-scanner (>=1.0 <=2.8), au.com.versent.jenkins.plugins:ignore-committer-strategy (>=55.v51410e712e0c <=57.v0756db_b_f6926) +624 more potentially affected by CVE-2025-67636 via org.jenkins-ci.main:jenkins-core (>=2.0 <=2.528.2)

org.jenkins-ci.main:jenkins-core MAVEN version =2.0, =1.0, =55.v51410e712e0c, =4.1.0.506.v619d63bec9d8, =66.v12c841920f7d, =109.v2c51a117a7b4, =1.155.v3d884c1bdee1, =1.281.v331e3f5a05a9, =4050.v8ba69b587c39, =4050.v8ba69b587c39, =1.0.5, =2.0.0, =2.0, =1.0.2, =1.0.0, =1.0.6 and more So...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +1889 more potentially affected by CVE-2025-67639 via org.jenkins-ci.main:jenkins-core (>=1.396 <=2.528.2)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.0.1, =1.0, =55.v51410e712e0c, =1.0, =0.0.1, =0.1.0, =1.0, =0.9, =1.3, =1.23 and more Source cves: CVE-2025-67639 Source advisory: OSV:GHSA-6837-QGRC-X5P6...

appscanstandard-integration:ibm-security-appscanstandard-scanner (>=1.0 <=2.8), au.com.versent.jenkins.plugins:ignore-committer-strategy (>=55.v51410e712e0c <=57.v0756db_b_f6926) +624 more potentially affected by CVE-2025-67638 via org.jenkins-ci.main:jenkins-core (>=2.0 <=2.528.2)

org.jenkins-ci.main:jenkins-core MAVEN version =2.0, =1.0, =55.v51410e712e0c, =4.1.0.506.v619d63bec9d8, =66.v12c841920f7d, =109.v2c51a117a7b4, =1.155.v3d884c1bdee1, =1.281.v331e3f5a05a9, =4050.v8ba69b587c39, =4050.v8ba69b587c39, =1.0.5, =2.0.0, =2.0, =1.0.2, =1.0.0, =1.0.6 and more So...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +1889 more potentially affected by CVE-2025-67636 via org.jenkins-ci.main:jenkins-core (>=1.396 <=2.528.2)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.0.1, =1.0, =55.v51410e712e0c, =1.0, =0.0.1, =0.1.0, =1.0, =0.9, =1.3, =1.23 and more Source cves: CVE-2025-67636 Source advisory: OSV:GHSA-P3F5-98CV-562J...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +1889 more potentially affected by CVE-2025-67638 via org.jenkins-ci.main:jenkins-core (>=1.396 <=2.528.2)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.0.1, =1.0, =55.v51410e712e0c, =1.0, =0.0.1, =0.1.0, =1.0, =0.9, =1.3, =1.23 and more Source cves: CVE-2025-67638 Source advisory: OSV:GHSA-HXJG-2JVF-H3RX...

Missing Authorization

Overview org.jenkins-ci.main:jenkins-core is an open source automation server. Affected versions of this package are vulnerable to Missing Authorization due to a missing permission check in the password fields. An attacker can access encrypted password values by leveraging View/Read permissions...

appscanstandard-integration:ibm-security-appscanstandard-scanner (>=1.0 <=2.8), au.com.versent.jenkins.plugins:ignore-committer-strategy (>=55.v51410e712e0c <=57.v0756db_b_f6926) +624 more potentially affected by CVE-2025-67639 via org.jenkins-ci.main:jenkins-core (>=2.0 <=2.528.2)

org.jenkins-ci.main:jenkins-core MAVEN version =2.0, =1.0, =55.v51410e712e0c, =4.1.0.506.v619d63bec9d8, =66.v12c841920f7d, =109.v2c51a117a7b4, =1.155.v3d884c1bdee1, =1.281.v331e3f5a05a9, =4050.v8ba69b587c39, =4050.v8ba69b587c39, =1.0.5, =2.0.0, =2.0, =1.0.2, =1.0.0, =1.0.6 and more So...

Improper Resource Shutdown or Release

Overview org.jenkins-ci.main:jenkins-core is an open source automation server. Affected versions of this package are vulnerable to Improper Resource Shutdown or Release via the HTTP-based CLI connections. An attacker can cause the service to become unavailable by sending corrupted connection...