Lucene search
K
JenkinsRecent

1464 matches found

Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข7 views

Path traversal vulnerability in external-workspace-manager

external-workspace-manager 1.3.2 and earlier does not reject .. path segments when validating the custom workspace path provided to the exwsAllocate Pipeline step, allowing the resulting workspace path to escape the configured disk mount point. This allows attackers with Item/Configure permission...

8.8CVSS6.7AI score0.00595EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข6 views

XXE vulnerability in assembla

assembla 1.4 and earlier does not configure its XML parser to prevent XML external entity XXE attacks when parsing responses from the configured Assembla server. This allows attackers able to control the responses of the configured Assembla server to extract secrets from the Jenkins controller or...

7.1CVSS5.9AI score0.00224EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข7 views

Passwords stored in plain text by fitnesse

fitnesse 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, the...

4.3CVSS5.9AI score0.00178EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข7 views

CSRF vulnerability and missing permission check in zdevops

zdevops 1.1.3.50.ve350c9b450b1 and earlier does not perform a permission check in an HTTP endpoint implementing a connection test. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,...

4.2CVSS5.8AI score0.0014EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข8 views

OS command injection vulnerability on agents in git-client

git-client 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into the SSH wrapper script generated by the "Manually provided keys" Git Host Key Verification strategy on Unix agents. This allows attackers able to control the name of a build's working...

5CVSS6.1AI score0.00207EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข7 views

Sandbox bypass vulnerability in script-security

script-security provides a sandbox feature that allows running user-provided scripts safely by intercepting and checking potentially unsafe operations. script-security 1402.v94c9ce464861 and earlier does not intercept the implicit type cast applied to each element of the iterated collection in a...

8.8CVSS6.2AI score0.00372EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข6 views

CSRF vulnerability and unrestricted instantiation of types in workflow-cps

workflow-cps 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, instantiating any type with a constructor annotated with @DataBoundConstructor in response to a request. This allows attackers to have workflow-cps instantiate...

4.3CVSS5.8AI score0.00275EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข7 views

Script security bypass vulnerability in script-security

script-security 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations such as @CompileStatic and @TypeChecked that carry an extensions member, which causes Groovy to load and execute a script from the classpath at compile time, before the sandbox is applied. This ma...

8.5CVSS5.9AI score0.00594EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข8 views

Missing permission check in git-parameter allows listing SCM branch and tag names

git-parameter 462.vdcf3df2ed2ca and earlier does not perform a permission check in an HTTP endpoint that populates the list of values for Git parameters by querying the SCM configured on a job, using the SCM credentials configured in Jenkins. This allows attackers with Item/Read permission to...

4.3CVSS5.9AI score0.00216EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข7 views

Encrypted values of secrets in job and agent configurations not redacted by jobConfigHistory

jobConfigHistory 1356.ve360da6c523a and earlier does not redact the encrypted values of secrets when displaying historical job and agent configurations through its "View as XML" / "RAW" feature and its configuration diff views. This allows attackers with Item/Extended Read permission but not...

4.3CVSS5.9AI score0.0013EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข7 views

Missing permission check allows enumerating GitHub Enterprise server URLs in github-branch-source

github-branch-source 1967.1969.v205fd594c821 and earlier does not perform a permission check in an HTTP endpoint that lists the GitHub API endpoints configured in the global plugin configuration. This allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise servers...

4.3CVSS5.8AI score0.00216EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข7 views

Missing permission check in mcp-server allows reading Pipeline replay scripts

mcp-server 0.177.v629fdb2557fe and earlier does not perform a permission check in the getReplayScripts MCP tool that returns the replay script of a Pipeline build. This allows attackers with Item/Read permission to obtain the Pipeline script of jobs. mcp-server 0.178.vffe5ae770f3b requires...

4.3CVSS5.9AI score0.00178EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข7 views

LDAP injection vulnerability in active-directory

In active-directory 2.41.1 and earlier, the Windows native ADSI authentication path does not escape the user name before building the LDAP search filter. This allows unauthenticated attackers to inject LDAP wildcard characters into the user name, enabling them to enumerate directory user and grou...

3.7CVSS5.9AI score0.00224EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข86 views

SSL/TLS certificate validation unconditionally disabled by bitbucket-push-and-pull-request

bitbucket-push-and-pull-request 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for the connections it makes to Bitbucket Server using Bearer token authentication. Because the Bearer token is transmitted in these requests, this allows attackers able to...

4.8CVSS5.9AI score0.00108EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข8 views

CSRF vulnerability in PrioritySorter

PrioritySorter 936.v2c01c6b84449 and earlier does not require POST requests in an HTTP endpoint that saves the global job priority configuration. This allows attackers to overwrite the global job priority configuration. PrioritySorter 936.937.v5581d0b2ccba requires POST requests for the affected...

4.3CVSS5.9AI score0.00152EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข5 views

Incorrect permission check in gitee allows enumerating credentials IDs

gitee 1288.v18bdebc9069b and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to enumerate credentials IDs of credentials stored in Jenkins. Those ca...

4.3CVSS5.8AI score0.0017EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข6 views

Missing permission checks and CSRF vulnerability in gitee

gitee 1288.v18bdebc9069b and earlier does not perform permission checks in several HTTP endpoints implementing form validation for its global configuration. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained...

5.4CVSS5.8AI score0.00145EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข87 views

CSRF vulnerability and missing permission checks in ec2-fleet

ec2-fleet 4.2.3.539.v8fedff2a81c3 and earlier does not perform permission checks in several HTTP endpoints used to validate cloud configurations. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through...

5.4CVSS5.8AI score0.00161EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข5 views

CSRF vulnerability and missing permission check in contrast-continuous-application-security

contrast-continuous-application-security 3.11 and earlier does not perform a permission check in an HTTP endpoint that tests the connection to a Contrast TeamServer. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, AP...

5.4CVSS5.8AI score0.00187EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข7 views

Builds executed on the Jenkins controller by zapper can lead to RCE

zapper 1.0.7 and earlier does not support distributed builds, causing the file operations and build process of its "Automatically build ZAP" feature to be performed on the Jenkins controller rather than on the agent the build is assigned to. This allows attackers with Item/Configure permission to...

8.8CVSS6.1AI score0.0042EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข5 views

CSRF vulnerability and missing permission check in assembla

assembla 1.4 and earlier does not perform a permission check in an HTTP endpoint that tests the connection to an Assembla server. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username and password. Additionally, this HTTP...

5.4CVSS5.8AI score0.00161EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/24 12:0 a.m.โ€ข6 views

Missing permission checks in contrast-continuous-application-security allow enumerating Contrast metadata

contrast-continuous-application-security 3.11 and earlier does not perform permission checks in several HTTP endpoints that fill list box options with the names of the configured Contrast metadata. This allows attackers with Overall/Read permission to enumerate the names of configured Contrast...

4.3CVSS5.8AI score0.00187EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/10 12:0 a.m.โ€ข7 views

Stored XSS vulnerability in node offline cause description

Since Jenkins 2.483, the description of the reason why a node is offline the "offline cause" is defined as containing HTML and rendered as such. Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not escape the user-provided description of a generic offline cause that could be set through th...

8CVSS4.9AI score0.00261EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/10 12:0 a.m.โ€ข9 views

Deserialization vulnerability

Jenkins uses serialization and deserialization in multiple places, like agent/controller communication the Remoting library and to load and save configuration and build data using XStream. To protect from common deserialization vulnerabilities, Jenkins uses a custom deserialization filter that on...

8.8CVSS5.6AI score0.14907EPSS
Exploits2Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/10 12:0 a.m.โ€ข6 views

Open redirect vulnerability

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines whether a URL is safe to redirect to in the default login flow: A URL containing relative path segments ./ or ../ is validated before the servlet container collapses those segments into a protocol-relative URL starting with...

7.4CVSS5.2AI score0.00364EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/10 12:0 a.m.โ€ข7 views

Open redirect vulnerability

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines whether a URL is safe to redirect to in the default login flow: A URL containing relative path segments ./ or ../ is validated before the servlet container collapses those segments into a protocol-relative URL starting with...

7.4CVSS5.2AI score0.00364EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/10 12:0 a.m.โ€ข9 views

Missing permission check allows canceling queue items

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not perform an Item/Read permission check in an HTTP endpoint. This allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view. NOTE: This is due to an incomplete...

4.3CVSS5.2AI score0.00213EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/10 12:0 a.m.โ€ข7 views

Missing permission checks allow obtaining limited user profile information

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not perform permission checks in HTTP endpoints. This allows attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views". Jenkins 2.568, LTS 2.555.3 performs...

4.3CVSS5.2AI score0.00234EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/10 12:0 a.m.โ€ข9 views

Open redirect vulnerability in "Delegate to servlet container" security realm

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login. This allows attackers to perform phishing attacks by redirecting users to an attacker-controlled domain. Jenkins...

4.3CVSS5.2AI score0.00239EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/06/10 12:0 a.m.โ€ข7 views

Plaintext secrets persisted and served by config.xml endpoints

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, POST config.xml submissions are written to disk as-is once their content can be successfully deserialized, while GET config.xml responses are served directly from those files. As a result, plaintext secrets in a POST config.xml submission...

5.3CVSS5.2AI score0.0019EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/05/27 12:0 a.m.โ€ข10 views

Arbitrary file read vulnerability through symbolic links in pipeline-groovy-lib

pipeline-groovy-lib 797.v90eaa9be45a0 and earlier does not prohibit symbolic links in shared libraries. This allows attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem. pipeline-groovy-lib 798.v5cc688825312 prohibi...

7.5CVSS5.4AI score0.00301EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/05/27 12:0 a.m.โ€ข8 views

CSRF vulnerability in github-pullrequest

github-pullrequest 0.7.3 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to trigger a build for a pull request. github-pullrequest 0.7.4 requires POST requests for the affected HTTP...

4.3CVSS5.2AI score0.00109EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/05/27 12:0 a.m.โ€ข9 views

RCE vulnerability from unvalidated LDAP referrals in active-directory

active-directory 2.41 and earlier follows LDAP referrals from the configured Active Directory server by default. These can forward to an RMI URL that causes Jenkins to deserialize attacker-controlled data, resulting in Remote Code Execution RCE on the Jenkins controller if deserialization "gadget...

6.6CVSS6.1AI score0.0027EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/05/27 12:0 a.m.โ€ข8 views

Missing permission check in jenkinsci-appspider-plugin allows sending requests

jenkinsci-appspider-plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. jenkinsci-appspider-plugin 1.0.18 requires Overall/Administer permission to use t...

4.3CVSS5.2AI score0.00187EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/05/27 12:0 a.m.โ€ข9 views

CSRF vulnerability in jenkins-multijob-plugin allows resuming builds

jenkins-multijob-plugin 662.vd2e0001f6bbd and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to resume failed Multijob builds. jenkins-multijob-plugin 669.v9d96ad9c71b0 requires POST...

4.3CVSS5.1AI score0.00152EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/05/27 12:0 a.m.โ€ข9 views

Stored XSS vulnerability in buildgraph-view

buildgraph-view 1.8 and earlier does not escape the build URL. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs or views. As of publication of this advisory, there is no fix. Learn why we announce this...

8CVSS4.9AI score0.00176EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/05/27 12:0 a.m.โ€ข8 views

Arbitrary file read vulnerability in email-ext

email-ext 1933.v45cec755423f and earlier includes a feature that allows inlining images as base64 in email content by setting the data-inline attribute. No restrictions are placed on the image URLs that can be inlined. This allows attackers able to control the email content to specify file: URLs...

8.8CVSS5.4AI score0.00299EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/05/27 12:0 a.m.โ€ข7 views

RCE vulnerability from unvalidated LDAP referrals in ldap

ldap 807.v7d7de30930cf and earlier follows LDAP referrals from the configured LDAP server. These can forward to an RMI URL that causes Jenkins to deserialize attacker-controlled data, resulting in Remote Code Execution RCE on the Jenkins controller if deserialization "gadgets" are available on th...

6.6CVSS6AI score0.00285EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/05/27 12:0 a.m.โ€ข8 views

Path traversal vulnerability in credentials-binding

credentials-binding 720.v3f6decef43ea and earlier does not properly sanitize file names for file and zip file credentials. This allows attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem. If Jenkins is configured to allow a low-privileged us...

7.5CVSS5.5AI score0.00364EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/05/27 12:0 a.m.โ€ข9 views

Open redirect vulnerability in bitbucket-oauth

bitbucket-oauth 0.17 and earlier does not restrict the redirect URL after login. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. bitbucket-oauth 0.18 only redirects to relative Jenkin...

4.3CVSS5.1AI score0.00216EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/05/27 12:0 a.m.โ€ข7 views

Missing permission check in job-import-plugin allows enumerating credentials IDs

job-import-plugin 143.v044a2e819b27 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using anothe...

4.3CVSS5.2AI score0.00178EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/04/29 12:0 a.m.โ€ข6 views

Missing permission check in script-security allows enumerating pending and approved classpaths

script-security 1399.ve6a66547f6e1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths. script-security 1402.v94c9ce464861 requires Overall/Administer permission to...

4.3CVSS5.2AI score0.00174EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/04/29 12:0 a.m.โ€ข8 views

Unsafe deserialization allows invoking parameterless constructors in matrix-auth

matrix-auth 2.0-beta-1 through 3.2.9 both inclusive invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated. This can be abused by attackers with Item/Configure permission to...

6.5CVSS5.3AI score0.00246EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/04/29 12:0 a.m.โ€ข6 views

Missing permission check in github-branch-source allows performing a connection test

github-branch-source 1967.vdead580c1aba and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials. github-branch-source...

4.3CVSS5.2AI score0.00184EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/04/29 12:0 a.m.โ€ข9 views

Path traversal vulnerability in credentials-binding

credentials-binding 719.v80e905ef14eb and earlier does not sanitize file names for file and zip file credentials. This allows attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem. If Jenkins is configured to allow a low-privileged user to...

7.5CVSS5.9AI score0.00411EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/04/29 12:0 a.m.โ€ข8 views

Open redirect vulnerability in azure-ad

azure-ad 666.v6060de32f87d and earlier does not restrict the redirect URL after login. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. azure-ad 667.v4c5827ae74a0 only redirects to...

4.3CVSS5.1AI score0.00212EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/04/29 12:0 a.m.โ€ข7 views

XSS vulnerability in github

github 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling". This results in a stored cross-site scripting XSS vulnerability exploitable by non-anonymous attackers with Overall/Read...

9CVSS5.4AI score0.00281EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/04/29 12:0 a.m.โ€ข8 views

XSS vulnerability in legacy wrapper file in htmlpublisher

htmlpublisher 427 and earlier does not escape job name and URL in the legacy wrapper file. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. htmlpublisher 427.1 escapes job name and URL when generating the legacy wrapper file...

8CVSS5.4AI score0.00281EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/03/18 12:0 a.m.โ€ข6 views

DNS rebinding vulnerability in WebSocket CLI origin validation

Jenkins has a built-in command line interface CLI to access Jenkins from a script or shell environment. Since Jenkins 2.217 and LTS 2.222.1, one of the ways to communicate with the CLI is through a WebSocket endpoint. This endpoint relies on the default Jenkins web request authentication...

7.5CVSS6.1AI score0.00297EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
โ€ขadded 2026/03/18 12:0 a.m.โ€ข5 views

Link following vulnerability allows arbitrary file creation

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives. This allows crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running...

8.8CVSS6.4AI score0.01161EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1464