PatchSiren cyber security CVE debrief
CVE-2026-53437 Jenkins Project CVE debrief
CVE-2026-53437 is a medium-severity vulnerability in Jenkins that allows attackers to perform phishing attacks. The vulnerability is caused by improper validation of redirect URLs after login, which can be exploited by attackers to redirect users to malicious sites. The vulnerability affects Jenkins versions 2.567 and earlier, as well as LTS versions 2.555.2 and earlier.
- Vendor
- Jenkins Project
- Product
- Jenkins
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Administrators and users of Jenkins versions 2.567 and earlier, LTS versions 2.555.2 and earlier, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by Jenkins improperly determining that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between `//`. This allows attackers to perform phishing attacks by redirecting users to malicious sites.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Jenkins version 2.568 or later, or LTS version 2.555.3 or later.
- Refer to the vendor advisory for more information: [ref-4](https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3711+3755)
Evidence notes
CVE-2026-53437 has a CVSS score of 4.3 and is classified as MEDIUM severity. The vulnerability is related to CWE-601.
Official resources
-
CVE-2026-53437 CVE record
CVE.org
-
CVE-2026-53437 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-53437 was published on 2026-06-10T14:16:36.677Z and modified on 2026-06-11T13:23:10.640Z.