CVE-2026-42523NVD

Vulnerability Summary

Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission.

Severity Level

CRITICAL(9.0)

Published Date

Apr 29, 2026

Last Modified

May 5, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.05%Probability

Root Weakness (CWE)

CWE-79: Cross-site Scripting (XSS) ↗

The software does not neutralize user-controllable input before it is placed in output that is used as a web page.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionRequired

ScopeChanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

External References

https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3704

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2026-42523NVD

Vulnerability Summary

External References