CVE-2026-42524NVD

Vulnerability Summary

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Severity Level

HIGH(8.0)

Published Date

Apr 29, 2026

Last Modified

May 5, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.05%Probability

Root Weakness (CWE)

CWE-79: Cross-site Scripting (XSS) ↗

The software does not neutralize user-controllable input before it is placed in output that is used as a web page.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionRequired

ScopeUnchanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

External References

https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3706

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2026-42524NVD

Vulnerability Summary

External References