By vendor

Jenkins vulnerabilities

Known CVEs affecting Jenkins products, prioritized by severity, with SEC.co remediation and detection guidance.

8 published vulnerabilities

  • CVE-2026-53435HIGH 8.8

    Jenkins versions 2.567 and earlier (LTS 2.555.2 and earlier) contain a critical flaw in how they process configuration files. An authenticated attacker can craft a malicious `config.xml` file that causes Jenkins to deserialize and instantiate arbitrary Java objects from Jenkins core or installed plugins. Once deserialized, these objects can intercept and handle HTTP requests, enabling the attacker to impersonate any Jenkins user—including administrators—and perform actions such as accessing the Script Console to execute arbitrary code or reading sensitive files from the Jenkins controller.

  • CVE-2026-53441MEDIUM 5.4

    Jenkins versions 2.483–2.567 and LTS 2.492.1–2.555.2 contain a stored cross-site scripting (XSS) vulnerability in how they handle user-supplied descriptions for generic offline causes. An attacker with Agent/Configure permissions can inject malicious script into the offline cause description via the POST config.xml API, and that script will execute in the browsers of other users who view the Jenkins interface. This is a classic stored XSS—the payload persists in Jenkins' configuration until removed.

  • CVE-2026-53442MEDIUM 5.3

    Jenkins fails to encrypt sensitive credentials when they are submitted via POST requests to update job configurations. Instead of storing these secrets securely, Jenkins saves them in plain text within job config.xml files on the controller. Any user with permission to read job details or anyone with file system access to the Jenkins controller can view these unencrypted secrets, creating a path for credential theft.

  • CVE-2026-53436MEDIUM 4.3

    Jenkins contains a validation flaw in its login redirect mechanism that allows attackers to craft phishing URLs appearing to come from a legitimate Jenkins instance. When users log in, Jenkins is supposed to redirect them to internal pages, but the vulnerability allows attackers to redirect users to external malicious sites by exploiting how the application handles relative path segments (like `./` or `../`). An attacker would need to trick a user into clicking a specially crafted link, but the exploit itself is straightforward and doesn't require special technical skills.

  • CVE-2026-53437MEDIUM 4.3

    Jenkins versions 2.567 and earlier (LTS 2.555.2 and earlier) contain a flaw in how they validate redirect URLs after user login. An attacker can craft a malicious redirect URL that appears to point to a legitimate Jenkins instance by inserting tab or newline characters between the `//` protocol separator, causing the validation to pass. When a user clicks such a link after logging in, they may be redirected to an attacker-controlled site while believing they're staying within Jenkins, enabling credential harvesting or other phishing attacks.

  • CVE-2026-53438MEDIUM 4.3

    Jenkins versions 2.567 and earlier (or LTS 2.555.2 and earlier) contain a permission bypass flaw that allows authenticated users holding the Item/Cancel permission to cancel build queue items without requiring Item/Read permission. This means an attacker with limited cancellation rights can disrupt builds they shouldn't be able to view or access, effectively using one permission to circumvent another. The vulnerability is not actively exploited in the wild and requires authenticated access, making it a moderate risk in most deployments.

  • CVE-2026-53439MEDIUM 4.3

    Jenkins versions 2.567 and earlier (LTS 2.555.2 and earlier) contain a permission bypass vulnerability that allows low-privileged attackers to discover sensitive information about other users. Specifically, attackers who have been granted the basic Overall/Read permission can view other users' timezone settings and enumerate the names of views in other users' private "My Views" sections. This is an information disclosure issue that could support reconnaissance or social engineering attacks, though it does not enable direct system compromise.

  • CVE-2026-53440MEDIUM 4.3

    Jenkins versions 2.567 and earlier (LTS 2.555.2 and earlier) contain a flaw in their "Delegate to servlet container" security realm that fails to validate redirect destinations after user login. An attacker can craft a malicious link that redirects authenticated users to an attacker-controlled website, enabling phishing attacks that steal credentials or distribute malware while appearing to come from a legitimate Jenkins instance.