CVE-2026-53442
- EPSS 0.19%
- Veröffentlicht 10.06.2026 13:06:02
- Zuletzt bearbeitet 12.06.2026 00:59:52
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users wit...
CVE-2026-53441
- EPSS 0.26%
- Veröffentlicht 10.06.2026 13:06:01
- Zuletzt bearbeitet 06.07.2026 16:16:34
Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site ...
CVE-2026-53439
- EPSS 0.23%
- Veröffentlicht 10.06.2026 13:06:00
- Zuletzt bearbeitet 11.06.2026 13:06:36
Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views".
CVE-2026-53440
- EPSS 0.24%
- Veröffentlicht 10.06.2026 13:06:00
- Zuletzt bearbeitet 12.06.2026 01:03:40
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users...
CVE-2026-53438
- EPSS 0.21%
- Veröffentlicht 10.06.2026 13:05:59
- Zuletzt bearbeitet 11.06.2026 13:21:45
A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view.
CVE-2026-53437
- EPSS 0.36%
- Veröffentlicht 10.06.2026 13:05:58
- Zuletzt bearbeitet 30.06.2026 03:20:58
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between `//`, allowing attackers to perform phishing attacks.
CVE-2026-53435
- EPSS 14.91%
- Veröffentlicht 10.06.2026 13:05:57
- Zuletzt bearbeitet 30.06.2026 03:20:58
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle...
CVE-2026-53436
- EPSS 0.28%
- Veröffentlicht 10.06.2026 13:05:57
- Zuletzt bearbeitet 11.06.2026 13:24:27
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (`./` or `../`), allowing attackers to perform phishing attacks.
CVE-2026-33002
- EPSS 0.3%
- Veröffentlicht 18.03.2026 15:15:25
- Zuletzt bearbeitet 21.03.2026 00:18:44
Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarde...
CVE-2026-33001
- EPSS 1.16%
- Veröffentlicht 18.03.2026 15:15:23
- Zuletzt bearbeitet 30.06.2026 03:18:35
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file sy...