Jenkin Audit Trail <=3.2 - Cross-Site Scripting

Jenkins Audit Trail 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability. id: CVE-2020-2140 info: name: Jenkin Audit Trail =3.3 which includes a fix for this vulnerability. reference: -...

Jenkins <=2.218 - Information Disclosure

Jenkins through 2.218, LTS 2.204.1 and earlier, is susceptible to information disclosure. An attacker can access exposed session identifiers on a user detail object in the whoAmI diagnostic page and thus potentially access sensitive information, modify data, and/or execute unauthorized operations...

Jenkins Git <=4.11.3 - Missing Authorization

Jenkins Git plugin through 4.11.3 contains a missing authorization check. An attacker can trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. This can make it possible to obtain sensitive information, modify...

Jenkins <=2.196 - Cookie Exposure

Jenkins through 2.196, LTS 2.176.3 and earlier prints the value of the cookie on the /whoAmI/ URL despite it being marked HttpOnly, thus making it possible to steal cookie-based authentication credentials if the URL is exposed or accessed via another cross-site scripting issue. id: CVE-2019-10405...

Jenkins GitHub Plugin <=1.29.1 - Server-Side Request Forgery

Jenkins GitHub Plugin 1.29.1 and earlier is susceptible to server-side request forgery via GitHubTokenCredentialsCreator.java, which allows attackers to leverage attacker-specified credentials IDs obtained through another method and capture the credentials stored in Jenkins. id: CVE-2018-1000600...

Jenkins Gitlab Hook <=1.4.2 - Cross-Site Scripting

Jenkins Gitlab Hook 1.4.2 and earlier does not escape project names in the buildnow endpoint, resulting in a reflected cross-site scripting vulnerability. id: CVE-2020-2096 info: name: Jenkins Gitlab Hook =1.4.3 to mitigate this vulnerability. reference: -...

Jenkins build-metrics 1.3 - Cross-Site Scripting

Jenkins build-metrics 1.3 is vulnerable to a reflected cross-site scripting vulnerability that allows attackers to inject arbitrary HTML and JavaScript into the web pages the plugin provides. id: CVE-2019-10475 info: name: Jenkins build-metrics 1.3 - Cross-Site Scripting author: madrobot severity...

CVE-2026-57285

A flaw was found in the Jenkins GitHub Branch Source Plugin. A missing permission check allows an attacker with Overall/Read permission to obtain the URLs of GitHub Enterprise servers. This information disclosure could expose sensitive configuration details of the Jenkins environment...

CVE-2026-57283

A flaw was found in Jenkins Pipeline: Groovy Plugin. This cross-site request forgery CSRF vulnerability allows attackers to instantiate types related to job or system configuration. This could enable unauthorized modifications to the Jenkins environment...

CVE-2026-57307

A missing permission check in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b450b1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

CVE-2026-57304

A missing permission check in Jenkins Assembla Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username and password...

CVE-2026-57301

Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller...

CVE-2026-57300

A missing permission check in Jenkins MCP Server Plugin 0.177.v629fdb2557fe and earlier allows attackers with Item/Read permission to read the Pipeline replay scripts of jobs they can access...

CVE-2026-57305

A cross-site request forgery CSRF vulnerability in Jenkins Assembla Plugin 1.4 and earlier allows attackers to connect to an attacker-specified URL using an attacker-specified username and password...

CVE-2026-57306

A cross-site request forgery CSRF vulnerability in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b450b1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

CVE-2026-57302

Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system...

CVE-2026-57303

Jenkins Assembla Plugin 1.4 and earlier does not configure its XML parser to prevent XML external entity XXE attacks, allowing attackers able to control the responses of the configured Assembla server to extract secrets from the Jenkins controller or perform server-side request forgery...

CVE-2026-57289

Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to...

CVE-2026-57290

A cross-site request forgery CSRF vulnerability in Jenkins Priority Sorter Plugin 936.v2c01c6b84449 and earlier allows attackers to overwrite the global job priority configuration...

CVE-2026-57291

Missing permission checks in Jenkins Gitee Plugin 1288.v18bdebc9069b and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method...