Vulnerability-Lookup

WID-SEC-W-2026-1320

Vulnerability from csaf_certbund - Published: 2026-04-29 22:00 - Updated: 2026-04-29 22:00

Summary

Jenkins Plugins: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Jenkins ist ein erweiterbarer, webbasierter Integration Server zur kontinuierlichen Unterstützung bei Softwareentwicklungen aller Art.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Jenkins ausnutzen, um beliebigen Code auszuführen, Daten zu manipulieren, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen sowie Cross-Site-Scripting- oder Phishing-Angriffe durchzuführen.

Betroffene Betriebssysteme: - Sonstiges - UNIX - Windows

CVE-2026-42519

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Script Security Plugin <1402.v94c9ce464861 Jenkins / Jenkins		Script Security Plugin <1402.v94c9ce464861

CVE-2026-42520

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Credentials Binding Plugin <720.v3f6decef43ea Jenkins / Jenkins		Credentials Binding Plugin <720.v3f6decef43ea

CVE-2026-42521

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Matrix Authorization Strategy Plugin <3.2.10 Jenkins / Jenkins		Matrix Authorization Strategy Plugin <3.2.10

CVE-2026-42522

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins GitHub Branch Source Plugin <1967.1969.v205fd594c821 Jenkins / Jenkins		GitHub Branch Source Plugin <1967.1969.v205fd594c821

CVE-2026-42523

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins GitHub Plugin <1.46.0.1 Jenkins / Jenkins		GitHub Plugin <1.46.0.1

CVE-2026-42524

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins HTML Publisher Plugin <427.1 Jenkins / Jenkins		HTML Publisher Plugin <427.1

CVE-2026-42525

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Microsoft Entra ID Plugin <667.v4c5827a_e74a_0 Jenkins / Jenkins		Microsoft Entra ID Plugin <667.v4c5827a_e74a_0

References

3 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.jenkins.io/security/advisory/2026-04-29/	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Jenkins ist ein erweiterbarer, webbasierter Integration Server zur kontinuierlichen Unterst\u00fctzung bei Softwareentwicklungen aller Art.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Jenkins ausnutzen, um beliebigen Code auszuf\u00fchren, Daten zu manipulieren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen sowie Cross-Site-Scripting- oder Phishing-Angriffe durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1320 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1320.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1320 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1320"
      },
      {
        "category": "external",
        "summary": "Jenkins Security Advisory vom 2026-04-29",
        "url": "https://www.jenkins.io/security/advisory/2026-04-29/"
      }
    ],
    "source_lang": "en-US",
    "title": "Jenkins Plugins: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-04-29T22:00:00.000+00:00",
      "generator": {
        "date": "2026-04-30T10:10:06.448+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-1320",
      "initial_release_date": "2026-04-29T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-04-29T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Credentials Binding Plugin \u003c720.v3f6decef43ea",
                "product": {
                  "name": "Jenkins Jenkins Credentials Binding Plugin \u003c720.v3f6decef43ea",
                  "product_id": "T053437"
                }
              },
              {
                "category": "product_version",
                "name": "Credentials Binding Plugin 720.v3f6decef43ea",
                "product": {
                  "name": "Jenkins Jenkins Credentials Binding Plugin 720.v3f6decef43ea",
                  "product_id": "T053437-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:credentials_binding_plugin__720.v3f6decef43ea"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "GitHub Plugin \u003c1.46.0.1",
                "product": {
                  "name": "Jenkins Jenkins GitHub Plugin \u003c1.46.0.1",
                  "product_id": "T053438"
                }
              },
              {
                "category": "product_version",
                "name": "GitHub Plugin 1.46.0.1",
                "product": {
                  "name": "Jenkins Jenkins GitHub Plugin 1.46.0.1",
                  "product_id": "T053438-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:github_plugin__1.46.0.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "GitHub Branch Source Plugin \u003c1967.1969.v205fd594c821",
                "product": {
                  "name": "Jenkins Jenkins GitHub Branch Source Plugin \u003c1967.1969.v205fd594c821",
                  "product_id": "T053439"
                }
              },
              {
                "category": "product_version",
                "name": "GitHub Branch Source Plugin 1967.1969.v205fd594c821",
                "product": {
                  "name": "Jenkins Jenkins GitHub Branch Source Plugin 1967.1969.v205fd594c821",
                  "product_id": "T053439-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:github_branch_source_plugin__1967.1969.v205fd594c821"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "HTML Publisher Plugin \u003c427.1",
                "product": {
                  "name": "Jenkins Jenkins HTML Publisher Plugin \u003c427.1",
                  "product_id": "T053440"
                }
              },
              {
                "category": "product_version",
                "name": "HTML Publisher Plugin 427.1",
                "product": {
                  "name": "Jenkins Jenkins HTML Publisher Plugin 427.1",
                  "product_id": "T053440-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:html_publisher_plugin__427.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Matrix Authorization Strategy Plugin \u003c3.2.10",
                "product": {
                  "name": "Jenkins Jenkins Matrix Authorization Strategy Plugin \u003c3.2.10",
                  "product_id": "T053441"
                }
              },
              {
                "category": "product_version",
                "name": "Matrix Authorization Strategy Plugin 3.2.10",
                "product": {
                  "name": "Jenkins Jenkins Matrix Authorization Strategy Plugin 3.2.10",
                  "product_id": "T053441-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:matrix_authorization_strategy_plugin__3.2.10"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Microsoft Entra ID Plugin \u003c667.v4c5827a_e74a_0",
                "product": {
                  "name": "Jenkins Jenkins Microsoft Entra ID Plugin \u003c667.v4c5827a_e74a_0",
                  "product_id": "T053442"
                }
              },
              {
                "category": "product_version",
                "name": "Microsoft Entra ID Plugin 667.v4c5827a_e74a_0",
                "product": {
                  "name": "Jenkins Jenkins Microsoft Entra ID Plugin 667.v4c5827a_e74a_0",
                  "product_id": "T053442-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:microsoft_entra_id_plugin__667.v4c5827a_e74a_0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Script Security Plugin \u003c1402.v94c9ce464861",
                "product": {
                  "name": "Jenkins Jenkins Script Security Plugin \u003c1402.v94c9ce464861",
                  "product_id": "T053443"
                }
              },
              {
                "category": "product_version",
                "name": "Script Security Plugin 1402.v94c9ce464861",
                "product": {
                  "name": "Jenkins Jenkins Script Security Plugin 1402.v94c9ce464861",
                  "product_id": "T053443-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:script_security_plugin__1402.v94c9ce464861"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Jenkins"
          }
        ],
        "category": "vendor",
        "name": "Jenkins"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-42519",
      "product_status": {
        "known_affected": [
          "T053443"
        ]
      },
      "release_date": "2026-04-29T22:00:00.000+00:00",
      "title": "CVE-2026-42519"
    },
    {
      "cve": "CVE-2026-42520",
      "product_status": {
        "known_affected": [
          "T053437"
        ]
      },
      "release_date": "2026-04-29T22:00:00.000+00:00",
      "title": "CVE-2026-42520"
    },
    {
      "cve": "CVE-2026-42521",
      "product_status": {
        "known_affected": [
          "T053441"
        ]
      },
      "release_date": "2026-04-29T22:00:00.000+00:00",
      "title": "CVE-2026-42521"
    },
    {
      "cve": "CVE-2026-42522",
      "product_status": {
        "known_affected": [
          "T053439"
        ]
      },
      "release_date": "2026-04-29T22:00:00.000+00:00",
      "title": "CVE-2026-42522"
    },
    {
      "cve": "CVE-2026-42523",
      "product_status": {
        "known_affected": [
          "T053438"
        ]
      },
      "release_date": "2026-04-29T22:00:00.000+00:00",
      "title": "CVE-2026-42523"
    },
    {
      "cve": "CVE-2026-42524",
      "product_status": {
        "known_affected": [
          "T053440"
        ]
      },
      "release_date": "2026-04-29T22:00:00.000+00:00",
      "title": "CVE-2026-42524"
    },
    {
      "cve": "CVE-2026-42525",
      "product_status": {
        "known_affected": [
          "T053442"
        ]
      },
      "release_date": "2026-04-29T22:00:00.000+00:00",
      "title": "CVE-2026-42525"
    }
  ]
}

CVE-2026-42519 (GCVE-0-2026-42519)

Vulnerability from cvelistv5 – Published: 2026-04-29 13:31 – Updated: 2026-04-29 14:03

Summary

A missing permission check in Jenkins Script Security Plugin 1399.ve6a_66547f6e1 and earlier allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths.

Severity

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-862 - Missing Authorization

Assigner

jenkins

References

1 reference

URL	Tags
https://www.jenkins.io/security/advisory/2026-04-…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Jenkins Project	Jenkins Script Security Plugin	Affected: 0 , ≤ 1399.ve6a_66547f6e1 (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-42519",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-29T14:03:52.578040Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-862",
                "description": "CWE-862 Missing Authorization",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-29T14:03:57.188Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jenkins Script Security Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "1399.ve6a_66547f6e1",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A missing permission check in Jenkins Script Security Plugin 1399.ve6a_66547f6e1 and earlier allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-29T13:31:29.232Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-04-29",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3662"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-42519",
    "datePublished": "2026-04-29T13:31:29.232Z",
    "dateReserved": "2026-04-28T09:24:35.048Z",
    "dateUpdated": "2026-04-29T14:03:57.188Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42520 (GCVE-0-2026-42520)

Vulnerability from cvelistv5 – Published: 2026-04-29 13:31 – Updated: 2026-04-29 14:02

Summary

Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

jenkins

References

1 reference

URL	Tags
https://www.jenkins.io/security/advisory/2026-04-…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Jenkins Project	Jenkins Credentials Binding Plugin	Affected: 0 , ≤ 719.v80e905ef14eb_ (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-42520",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-29T14:01:22.227929Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-22",
                "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-29T14:02:37.784Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jenkins Credentials Binding Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "719.v80e905ef14eb_",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-29T13:31:29.921Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-04-29",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3672"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-42520",
    "datePublished": "2026-04-29T13:31:29.921Z",
    "dateReserved": "2026-04-28T09:24:35.048Z",
    "dateUpdated": "2026-04-29T14:02:37.784Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42521 (GCVE-0-2026-42521)

Vulnerability from cvelistv5 – Published: 2026-04-29 13:31 – Updated: 2026-04-29 13:58

Summary

Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure permission to instantiate arbitrary types, which may lead to information disclosure or other impacts depending on the classes available on the classpath.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

jenkins

References

1 reference

URL	Tags
https://www.jenkins.io/security/advisory/2026-04-…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Jenkins Project	Jenkins Matrix Authorization Strategy Plugin	Affected: 2.0-beta-1 , ≤ 3.2.9 (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-42521",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-29T13:58:15.842577Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-502",
                "description": "CWE-502 Deserialization of Untrusted Data",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-29T13:58:20.768Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jenkins Matrix Authorization Strategy Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "3.2.9",
              "status": "affected",
              "version": "2.0-beta-1",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure permission to instantiate arbitrary types, which may lead to information disclosure or other impacts depending on the classes available on the classpath."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-29T13:31:30.608Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-04-29",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3676"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-42521",
    "datePublished": "2026-04-29T13:31:30.608Z",
    "dateReserved": "2026-04-28T09:24:35.048Z",
    "dateUpdated": "2026-04-29T13:58:20.768Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42522 (GCVE-0-2026-42522)

Vulnerability from cvelistv5 – Published: 2026-04-29 13:31 – Updated: 2026-04-29 14:28

Summary

A missing permission check in Jenkins GitHub Branch Source Plugin 1967.vdea_d580c1a_b_a_ and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials.

Severity

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-862 - Missing Authorization

Assigner

jenkins

References

1 reference

URL	Tags
https://www.jenkins.io/security/advisory/2026-04-…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Jenkins Project	Jenkins GitHub Branch Source Plugin	Affected: 0 , ≤ 1967.vdea_d580c1a_b_a_ (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-42522",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-29T14:28:29.627702Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-862",
                "description": "CWE-862 Missing Authorization",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-29T14:28:32.781Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jenkins GitHub Branch Source Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "1967.vdea_d580c1a_b_a_",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A missing permission check in Jenkins GitHub Branch Source Plugin 1967.vdea_d580c1a_b_a_ and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-29T13:31:31.337Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-04-29",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3702"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-42522",
    "datePublished": "2026-04-29T13:31:31.337Z",
    "dateReserved": "2026-04-28T09:24:35.048Z",
    "dateUpdated": "2026-04-29T14:28:32.781Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42523 (GCVE-0-2026-42523)

Vulnerability from cvelistv5 – Published: 2026-04-29 13:31 – Updated: 2026-04-29 14:29

Summary

Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission.

Severity

9 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

jenkins

References

1 reference

URL	Tags
https://www.jenkins.io/security/advisory/2026-04-…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Jenkins Project	Jenkins GitHub Plugin	Affected: 0 , ≤ 1.46.0 (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-42523",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-29T14:29:18.837762Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-29T14:29:21.203Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jenkins GitHub Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "1.46.0",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature \"GitHub hook trigger for GITScm polling\", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-29T13:31:32.189Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-04-29",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3704"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-42523",
    "datePublished": "2026-04-29T13:31:32.189Z",
    "dateReserved": "2026-04-28T09:24:35.048Z",
    "dateUpdated": "2026-04-29T14:29:21.203Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42524 (GCVE-0-2026-42524)

Vulnerability from cvelistv5 – Published: 2026-04-29 13:31 – Updated: 2026-04-29 14:29

Summary

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Severity

8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

jenkins

References

1 reference

URL	Tags
https://www.jenkins.io/security/advisory/2026-04-…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Jenkins Project	Jenkins HTML Publisher Plugin	Affected: 0 , ≤ 427 (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-42524",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-29T14:29:38.535986Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-29T14:29:40.872Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jenkins HTML Publisher Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "427",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-29T13:31:32.905Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-04-29",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3706"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-42524",
    "datePublished": "2026-04-29T13:31:32.905Z",
    "dateReserved": "2026-04-28T09:24:35.049Z",
    "dateUpdated": "2026-04-29T14:29:40.872Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42525 (GCVE-0-2026-42525)

Vulnerability from cvelistv5 – Published: 2026-04-29 13:31 – Updated: 2026-04-29 14:09

Summary

Jenkins Microsoft Entra ID (previously Azure AD) Plugin 666.v6060de32f87d and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks.

Severity

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Assigner

jenkins

References

1 reference

URL	Tags
https://www.jenkins.io/security/advisory/2026-04-…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Jenkins Project	Jenkins Microsoft Entra ID (previously Azure AD) Plugin	Affected: 0 , ≤ 666.v6060de32f87d (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-42525",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-29T14:09:36.527106Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-601",
                "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-29T14:09:41.735Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jenkins Microsoft Entra ID (previously Azure AD) Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "666.v6060de32f87d",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Microsoft Entra ID (previously Azure AD) Plugin 666.v6060de32f87d and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-29T13:31:33.582Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-04-29",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3760"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-42525",
    "datePublished": "2026-04-29T13:31:33.582Z",
    "dateReserved": "2026-04-28T09:24:35.049Z",
    "dateUpdated": "2026-04-29T14:09:41.735Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1320

CVE-2026-42519 (GCVE-0-2026-42519)

CVE-2026-42520 (GCVE-0-2026-42520)

CVE-2026-42521 (GCVE-0-2026-42521)

CVE-2026-42522 (GCVE-0-2026-42522)

CVE-2026-42523 (GCVE-0-2026-42523)

CVE-2026-42524 (GCVE-0-2026-42524)

CVE-2026-42525 (GCVE-0-2026-42525)

Tags

Sightings

Nomenclature