CVE-2026-48927 Jenkins Project CVE debrief

Who should care

Jenkins administrators managing instances with buildgraph-view Plugin installed; security teams responsible for CI/CD pipeline integrity; developers with job configuration privileges who may be targeted for account compromise

Technical summary

The buildgraph-view Plugin renders build URLs without proper HTML encoding, permitting stored XSS. Attackers with JOB_CONFIGURE or VIEW_CONFIGURE permissions can craft malicious build URLs containing JavaScript payloads. These payloads persist in build graph visualizations and execute when victims with appropriate access view the graph. The vulnerability requires network access, low attack complexity, and low privileges, with user interaction required for exploitation. Impact is limited to session compromise and limited confidentiality, integrity, and availability effects per CVSS scoring.

Defensive priority

medium

Recommended defensive actions

• Upgrade Jenkins buildgraph-view Plugin to a version newer than 1.8 when available
• Review job and view configurations for unauthorized modifications by users with configure permissions
• Implement Content Security Policy headers on Jenkins instances to mitigate XSS impact
• Audit access logs for unusual job or view configuration changes by non-administrative users
• Apply principle of least privilege for job configuration permissions

Evidence notes

Vulnerability confirmed via Jenkins security advisory published 2026-05-27. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as root cause. No evidence of active exploitation or CISA KEV inclusion as of advisory date.

Official resources