CVE-2026-53435

CVE-2026-53435 affects Jenkins 2.567 and earlier, and LTS 2.555.2 and earlier. The issue arises from deserializing arbitrary types defined in Jenkins core or plugins from an attacker-controlled config.xml submission, enabling attackers to handle HTTP requests after exploitation. Impact stated in ...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +1917 more potentially affected by CVE-2026-33001 via org.jenkins-ci.main:jenkins-core (>=1.396 <=2.554)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.0.1, =1.0, =55.v51410e712e0c, =1.0, =0.0.1, =0.1.0, =1.0, =0.9, =1.3, =1.23 and more Source cves: CVE-2026-33001 Source advisory: OSV:GHSA-R6QV-FRPC-Q66C...

appscanstandard-integration:ibm-security-appscanstandard-scanner (>=1.0 <=2.8), au.com.versent.jenkins.plugins:ignore-committer-strategy (>=55.v51410e712e0c <=57.v0756db_b_f6926) +661 more potentially affected by CVE-2026-33001 via org.jenkins-ci.main:jenkins-core (>=2.0 <=2.554)

org.jenkins-ci.main:jenkins-core MAVEN version =2.0, =1.0, =55.v51410e712e0c, =4.1.0.506.v619d63bec9d8, =66.v12c841920f7d, =109.v2c51a117a7b4, =1.155.v3d884c1bdee1, =1.281.v331e3f5a05a9, =4050.v8ba69b587c39, =4050.v8ba69b587c39, =1.0.5, =2.0.0, =2.0, =1.0.2, =1.0.0, =1.0.6 and more Source...

UNIX Symbolic Link (Symlink) Following

Overview org.jenkins-ci.main:jenkins-core is an open source automation server. Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following during the extraction of .tar and .tar.gz archives when symbolic links are present. An attacker can create or overwrite arbitrary...

DNS Rebinding

Overview org.jenkins-ci.main:jenkins-core is an open source automation server. Affected versions of this package are vulnerable to DNS Rebinding in the origin validation process for WebSocket CLI requests due to reliance on the Host or X-Forwarded-Host HTTP headers. An attacker can bypass origin...

Cross-site Scripting (XSS)

Overview org.jenkins-ci.main:jenkins-core is an open source automation server. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the UserCause function. An attacker can execute arbitrary JavaScript code in the context of other users by providing crafted input in the...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +1915 more potentially affected by CVE-2026-27100 via org.jenkins-ci.main:jenkins-core (>=1.396 <=2.541.1)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.0.1, =1.0, =55.v51410e712e0c, =1.0, =0.0.1, =0.1.0, =1.0, =0.9, =1.3, =1.23 and more Source cves: CVE-2026-27100 Source advisory: OSV:GHSA-WFHP-QGM8-5P5C...

appscanstandard-integration:ibm-security-appscanstandard-scanner (>=1.0 <=2.8), au.com.versent.jenkins.plugins:ignore-committer-strategy (>=55.v51410e712e0c <=57.v0756db_b_f6926) +659 more potentially affected by CVE-2026-27100 via org.jenkins-ci.main:jenkins-core (>=2.0 <=2.541.1)

org.jenkins-ci.main:jenkins-core MAVEN version =2.0, =1.0, =55.v51410e712e0c, =4.1.0.506.v619d63bec9d8, =66.v12c841920f7d, =109.v2c51a117a7b4, =1.155.v3d884c1bdee1, =1.281.v331e3f5a05a9, =4050.v8ba69b587c39, =4050.v8ba69b587c39, =1.0.5, =2.0.0, =2.0, =1.0.2, =1.0.0, =1.0.6 and more Sou...

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview org.jenkins-ci.main:jenkins-core is an open source automation server. Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the Run Parameter values. An attacker can access information about the existence of job...

Denial Of Service (DoS)

org.jenkins-ci.main, jenkins-core is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling and closure of corrupted HTTP-based CLI connection streams, which allows an unauthenticated attacker to trigger a denial of service by sending malformed or corrupted connection...

Insufficiently Protected Credentials

Overview org.jenkins-ci.main:jenkins-core is an open source automation server. Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the display of build authorization tokens on the job configuration form. An attacker can gain unauthorized access to sensitive...

Cross-site Request Forgery (CSRF)

Overview org.jenkins-ci.main:jenkins-core is an open source automation server. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to missing CSRF token crumb enforcement on the HTTP endpoints handling interactive login requests. An attacker can cause users to...

Improper Resource Shutdown or Release

Overview org.jenkins-ci.main:jenkins-core is an open source automation server. Affected versions of this package are vulnerable to Improper Resource Shutdown or Release via the HTTP-based CLI connections. An attacker can cause the service to become unavailable by sending corrupted connection...

appscanstandard-integration:ibm-security-appscanstandard-scanner (>=1.0 <=2.8), au.com.versent.jenkins.plugins:ignore-committer-strategy (>=55.v51410e712e0c <=57.v0756db_b_f6926) +624 more potentially affected by CVE-2025-67637 via org.jenkins-ci.main:jenkins-core (>=2.0 <=2.528.2)

org.jenkins-ci.main:jenkins-core MAVEN version =2.0, =1.0, =55.v51410e712e0c, =4.1.0.506.v619d63bec9d8, =66.v12c841920f7d, =109.v2c51a117a7b4, =1.155.v3d884c1bdee1, =1.281.v331e3f5a05a9, =4050.v8ba69b587c39, =4050.v8ba69b587c39, =1.0.5, =2.0.0, =2.0, =1.0.2, =1.0.0, =1.0.6 and more So...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +1889 more potentially affected by CVE-2025-67637 via org.jenkins-ci.main:jenkins-core (>=1.396 <=2.528.2)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.0.1, =1.0, =55.v51410e712e0c, =1.0, =0.0.1, =0.1.0, =1.0, =0.9, =1.3, =1.23 and more Source cves: CVE-2025-67637 Source advisory: OSV:GHSA-FXJ7-6V9W-XC76...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +1889 more potentially affected by CVE-2025-67639 via org.jenkins-ci.main:jenkins-core (>=1.396 <=2.528.2)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.0.1, =1.0, =55.v51410e712e0c, =1.0, =0.0.1, =0.1.0, =1.0, =0.9, =1.3, =1.23 and more Source cves: CVE-2025-67639 Source advisory: OSV:GHSA-6837-QGRC-X5P6...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +1889 more potentially affected by CVE-2025-67635 via org.jenkins-ci.main:jenkins-core (>=1.396 <=2.528.2)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.0.1, =1.0, =55.v51410e712e0c, =1.0, =0.0.1, =0.1.0, =1.0, =0.9, =1.3, =1.23 and more Source cves: CVE-2025-67635 Source advisory: OSV:GHSA-9P56-P6MW-W8QC...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +1889 more potentially affected by CVE-2025-67636 via org.jenkins-ci.main:jenkins-core (>=1.396 <=2.528.2)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.0.1, =1.0, =55.v51410e712e0c, =1.0, =0.0.1, =0.1.0, =1.0, =0.9, =1.3, =1.23 and more Source cves: CVE-2025-67636 Source advisory: OSV:GHSA-P3F5-98CV-562J...

appscanstandard-integration:ibm-security-appscanstandard-scanner (>=1.0 <=2.8), au.com.versent.jenkins.plugins:ignore-committer-strategy (>=55.v51410e712e0c <=57.v0756db_b_f6926) +624 more potentially affected by CVE-2025-67635 via org.jenkins-ci.main:jenkins-core (>=2.0 <=2.528.2)

org.jenkins-ci.main:jenkins-core MAVEN version =2.0, =1.0, =55.v51410e712e0c, =4.1.0.506.v619d63bec9d8, =66.v12c841920f7d, =109.v2c51a117a7b4, =1.155.v3d884c1bdee1, =1.281.v331e3f5a05a9, =4050.v8ba69b587c39, =4050.v8ba69b587c39, =1.0.5, =2.0.0, =2.0, =1.0.2, =1.0.0, =1.0.6 and more So...

appscanstandard-integration:ibm-security-appscanstandard-scanner (>=1.0 <=2.8), au.com.versent.jenkins.plugins:ignore-committer-strategy (>=55.v51410e712e0c <=57.v0756db_b_f6926) +624 more potentially affected by CVE-2025-67636 via org.jenkins-ci.main:jenkins-core (>=2.0 <=2.528.2)

org.jenkins-ci.main:jenkins-core MAVEN version =2.0, =1.0, =55.v51410e712e0c, =4.1.0.506.v619d63bec9d8, =66.v12c841920f7d, =109.v2c51a117a7b4, =1.155.v3d884c1bdee1, =1.281.v331e3f5a05a9, =4050.v8ba69b587c39, =4050.v8ba69b587c39, =1.0.5, =2.0.0, =2.0, =1.0.2, =1.0.0, =1.0.6 and more So...