Filtered by vendor Jenkins Project
Subscriptions
Total
35 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-48917 | 2 Jenkins, Jenkins Project | 2 Ldap, Jenkins Ldap Plugin | 2026-06-03 | 6.6 Medium |
| Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation. | ||||
| CVE-2026-48916 | 2 Jenkins, Jenkins Project | 2 Ldap, Jenkins Ldap Plugin | 2026-06-02 | 6.6 Medium |
| Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals. | ||||
| CVE-2026-48926 | 2 Jenkins, Jenkins Project | 2 Job Import, Jenkins Job Import Plugin | 2026-06-02 | 4.3 Medium |
| Jenkins Job Import Plugin 143.v044a_2e819b_27 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | ||||
| CVE-2026-48918 | 2 Jenkins, Jenkins Project | 2 Active Directory, Jenkins Active Directory Plugin | 2026-05-30 | 6.6 Medium |
| Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals by default. | ||||
| CVE-2026-48919 | 2 Jenkins, Jenkins Project | 2 Active Directory, Jenkins Active Directory Plugin | 2026-05-30 | 6.6 Medium |
| Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation. | ||||
| CVE-2026-48920 | 2 Jenkins, Jenkins Project | 2 Email Extension, Jenkins Email Extension Plugin | 2026-05-30 | 8.8 High |
| Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute, without restrictions on the image URLs that can be inlined, allowing attackers able to control the email content to specify `file:` URLs for images to read arbitrary files from the Jenkins controller filesystem. | ||||
| CVE-2026-48921 | 2 Jenkins, Jenkins Project | 2 Pipeline\, Jenkins Pipeline Groovy Libraries Plugin | 2026-05-30 | 7.5 High |
| Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem. | ||||
| CVE-2026-48923 | 2 Jenkins, Jenkins Project | 2 Appspider, Jenkins Appspider Plugin | 2026-05-30 | 4.3 Medium |
| Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL. | ||||
| CVE-2026-48924 | 2 Jenkins, Jenkins Project | 2 Bitbucket Oauth, Jenkins Bitbucket Oauth Plugin | 2026-05-30 | 4.3 Medium |
| Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks. | ||||
| CVE-2026-48927 | 2 Jenkins, Jenkins Project | 2 Buildgraph-view, Jenkins Buildgraph-view Plugin | 2026-05-30 | 5.5 Medium |
| Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the build URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or views. | ||||
| CVE-2026-9674 | 2 Jenkins, Jenkins Project | 2 Multijob, Jenkins Multijob Plugin | 2026-05-30 | 4.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6b_b_d and earlier allows attackers to resume failed Multijob builds. | ||||
| CVE-2026-48925 | 2 Jenkins Project, Kostyasha | 2 Jenkins Github Plugin, Github Integration | 2026-05-30 | 4.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows attackers to attackers to trigger a build for a pull request. | ||||
| CVE-2026-48922 | 2 Jenkins, Jenkins Project | 2 Credentials Binding, Jenkins Credentials Binding Plugin | 2026-05-29 | 7.5 High |
| Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node. | ||||
| CVE-2026-42520 | 2 Jenkins, Jenkins Project | 2 Credentials Binding, Jenkins Credentials Binding Plugin | 2026-05-07 | 7.5 High |
| Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node. | ||||
| CVE-2026-42519 | 2 Jenkins, Jenkins Project | 2 Script Security, Jenkins Script Security Plugin | 2026-05-06 | 4.3 Medium |
| A missing permission check in Jenkins Script Security Plugin 1399.ve6a_66547f6e1 and earlier allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths. | ||||
| CVE-2026-42521 | 2 Jenkins, Jenkins Project | 2 Matrix Authorization Strategy, Jenkins Matrix Authorization Strategy Plugin | 2026-05-06 | 6.5 Medium |
| Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure permission to instantiate arbitrary types, which may lead to information disclosure or other impacts depending on the classes available on the classpath. | ||||
| CVE-2026-42522 | 2 Jenkins, Jenkins Project | 2 Github Branch Source, Jenkins Github Branch Source Plugin | 2026-05-06 | 4.3 Medium |
| A missing permission check in Jenkins GitHub Branch Source Plugin 1967.vdea_d580c1a_b_a_ and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials. | ||||
| CVE-2026-42524 | 2 Jenkins, Jenkins Project | 2 Html Publisher, Jenkins Html Publisher Plugin | 2026-05-05 | 8 High |
| Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | ||||
| CVE-2026-42523 | 2 Jenkins, Jenkins Project | 2 Github, Jenkins Github Plugin | 2026-05-05 | 9 Critical |
| Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission. | ||||
| CVE-2026-42525 | 2 Jenkins, Jenkins Project | 2 Azure Ad, Jenkins Microsoft Entra Id Plugin | 2026-05-05 | 4.3 Medium |
| Jenkins Microsoft Entra ID (previously Azure AD) Plugin 666.v6060de32f87d and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks. | ||||