These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-53442 is a medium-severity vulnerability affecting Jenkins versions 2.567 and earlier, as well as LTS versions 2.555.2 and earlier. The vulnerability causes Jenkins to store secrets from POST config.xml submissions in an unencrypted format in job config.xml files on the Jenkins controller. This allows users with Item/Extended Read permission or access to the Jenkins controller file system to view [truncated]
CVE-2026-53441 is a stored cross-site scripting (XSS) vulnerability in Jenkins 2.483 through 2.567 and LTS 2.492.1 through 2.555.2. The vulnerability occurs because Jenkins does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API. This allows attackers with Agent/Configure permission to exploit the vulnerability.
CVE-2026-53440 is a medium-severity vulnerability in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier. The vulnerability occurs because the 'from' parameter in the 'Delegate to servlet container' security realm is not properly validated, allowing attackers to redirect users to an attacker-controlled domain after login, which can be used for phishing attacks.
CVE-2026-53439 is a medium-severity vulnerability in Jenkins. The issue allows attackers with Overall/Read permission to determine other users' configured timezone and enumerate view names of other users' 'My Views'. This vulnerability affects Jenkins 2.567 and earlier, as well as LTS 2.555.2 and earlier.
CVE-2026-53438 is a medium-severity vulnerability in Jenkins that allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view. This issue affects Jenkins 2.567 and earlier, as well as LTS 2.555.2 and earlier.
CVE-2026-53437 is a medium-severity vulnerability in Jenkins that allows attackers to perform phishing attacks. The vulnerability is caused by improper validation of redirect URLs after login, which can be exploited by attackers to redirect users to malicious sites. The vulnerability affects Jenkins versions 2.567 and earlier, as well as LTS versions 2.555.2 and earlier.
CVE-2026-53436 is a medium-severity vulnerability in Jenkins that allows attackers to perform phishing attacks due to improper validation of redirect URLs after login. The vulnerability affects Jenkins 2.567 and earlier, as well as LTS 2.555.2 and earlier. The issue arises from the application's failure to properly determine if a redirect URL contains relative path segments (`./` or `../`), which can be e [truncated]
CVE-2026-53435 is a high-severity vulnerability in Jenkins, a popular automation server. The vulnerability has a CVSS score of 8.8 and was published on [cvePublishedAt]. It affects Jenkins versions 2.567 and earlier, as well as LTS versions 2.555.2 and earlier. The vulnerability allows attackers to deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` subm [truncated]
A cross-site request forgery (CSRF) vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6b_b_d and earlier allows attackers to resume failed Multijob builds. The vulnerability was published on 2026-05-27 and carries a CVSS 3.1 score of 4.3 (MEDIUM severity). The attack vector is network-based with low attack complexity, requiring no privileges but user interaction. The vulnerability affects confidential [truncated]
A stored cross-site scripting (XSS) vulnerability exists in Jenkins buildgraph-view Plugin versions 1.8 and earlier. The plugin fails to escape the build URL, allowing attackers with job or view configuration privileges to inject malicious scripts. When other users view affected build graphs, the injected scripts execute in their browser context. This represents a medium-severity privilege escalation vect [truncated]
A missing permission check in Jenkins Job Import Plugin 143.v044a_2e819b_27 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs stored in Jenkins. This information disclosure vulnerability (CWE-269) has a CVSS 3.1 score of 4.3 (Medium severity). The issue was disclosed in the Jenkins security advisory dated 2026-05-27. No known exploitation in the wild or ransomware camp [truncated]
A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows attackers to trigger a build for a pull request. The vulnerability was published on 2026-05-27 and carries a CVSS 3.1 score of 4.3 (MEDIUM severity). The issue stems from missing CSRF protections on an endpoint that initiates pull request builds, enabling an attacker to forge requests that could [truncated]
Jenkins Bitbucket OAuth Plugin 0.17 and earlier contains an open redirect vulnerability (CWE-601) that allows attackers to redirect users to arbitrary URLs after authentication. The plugin fails to validate or restrict the redirect URL parameter during the OAuth login flow, enabling phishing attacks where users may be sent to attacker-controlled sites after completing legitimate authentication. This vulne [truncated]
A missing permission check in the Jenkins AppSpider Plugin (versions 1.0.17 and earlier) allows attackers with Overall/Read permission to connect to attacker-specified URLs through a form validation method. This vulnerability, disclosed in the Jenkins security advisory for May 27, 2026, enables unauthorized Server-Side Request Forgery (SSRF) capabilities that could be leveraged for internal network reconn [truncated]
A path traversal vulnerability in Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier allows attackers with job credential configuration privileges to write files to arbitrary locations on the Jenkins node filesystem. The vulnerability stems from improper sanitization of file names for file and zip file credentials. Successful exploitation can lead to remote code execution when Jenkins is co [truncated]
A path traversal vulnerability in Jenkins Pipeline: Groovy Libraries Plugin allows attackers with control over shared library content to read arbitrary files on the Jenkins controller filesystem. The plugin versions 797.v90ea_a_9b_e45a_0 and earlier fail to prohibit symbolic links in shared libraries, enabling directory traversal attacks. This vulnerability is classified as HIGH severity with a CVSS score [truncated]
Jenkins Email Extension Plugin 1933.v45cec755423f and earlier contains a path traversal vulnerability (CWE-73) that allows attackers with control over email content to read arbitrary files from the Jenkins controller filesystem. The plugin permits inlining images as base64 via the `data-inline` attribute without restricting the image URLs that can be inlined, enabling attackers to specify `file:` URLs to [truncated]
The Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation, creating a deserialization of untrusted data vulnerability (CWE-502). This flaw could allow an attacker with administrative privileges to execute arbitrary code through malicious LDAP referral responses. The vulnerability was disclosed in the Jenkins security advisory dated 2026-05-27. The CVSS 3 [truncated]
The Jenkins Active Directory Plugin versions 2.41 and earlier follow LDAP referrals by default, which may allow authentication requests to be redirected to unintended directory servers. This behavior could potentially enable Server-Side Request Forgery (SSRF) or credential disclosure scenarios if an attacker can influence referral targets in a compromised or maliciously configured Active Directory environ [truncated]
Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation. This vulnerability allows an attacker to potentially execute arbitrary code through maliciously crafted LDAP referral responses. The issue stems from improper deserialization of untrusted data (CWE-502), a common attack vector in Java applications. The vulnerability was disclosed in the Jenkins secu [truncated]
The Jenkins LDAP Plugin versions 807.v7d7de30930cf and earlier follow LDAP referrals, which can lead to Server-Side Request Forgery (SSRF) conditions. When the plugin processes LDAP referrals, it may make outbound connections to attacker-controlled servers specified in malicious referral responses. This behavior is classified under CWE-918 (Server-Side Request Forgery). The vulnerability requires high att [truncated]
CVE-2026-33001 is a high-severity vulnerability in Jenkins that allows attackers to write files to arbitrary locations on the filesystem using crafted .tar and .tar.gz archives. This vulnerability affects Jenkins versions 2.554 and earlier, as well as LTS versions 2.541.2 and earlier. An attacker with Item/Configure permission or control over agent processes can exploit this vulnerability to deploy malici [truncated]
CVE-2019-1003000 describes a sandbox bypass in Jenkins Script Security Plugin 1.49 and earlier. If an attacker can provide sandboxed scripts, the flaw may let them escape the intended restrictions and execute arbitrary code on the Jenkins master JVM. Because the controller/master is central to Jenkins operations, this is a high-impact issue for environments that accept or process untrusted Groovy scripts.