High-Severity RCE and XSS Flaws Found in Popular CI/CD Jenkins Plugins

Do Son April 30, 2026 2 minutes read

The Jenkins project has released a security advisory, addressing several vulnerabilities across its plugin ecosystem. The fixes cover a range of threats, from remote code execution (RCE) and path traversal to stored cross-site scripting (XSS), affecting thousands of CI/CD environments.

The most critical fixes involve plugins that handle external credentials and job publishing, where simple oversight could lead to full system compromise.

RCE via Credentials Binding (CVE-2026-42520): This “High” severity path traversal flaw exists because the plugin fails to sanitize file names for zip or file credentials. If a low-privileged user configures these for a job on a built-in node, it can lead to remote code execution.
Stored XSS in GitHub Plugin (CVE-2026-42523): Attackers with “Overall/Read” permissions could exploit improper processing of job URLs to execute malicious JavaScript.
Legacy Wrapper XSS in HTML Publisher (CVE-2026-42524): A failure to escape job names and URLs in legacy wrapper files allowed attackers with “Item/Configure” permissions to launch stored XSS attacks.

The advisory also highlighted several Medium Severity issues that could allow attackers to gather intelligence or manipulate users.

Plugin	Vulnerability	Impact
Script Security	Missing Permission Check	Attackers can enumerate pending and approved classpaths.
Matrix Auth	Unsafe Deserialization	Misuse of constructors can lead to information disclosure.
Microsoft Entra ID	Open Redirect	Facilitates phishing by forwarding users to malicious sites after login.
GitHub Branch Source	Missing Permission Check	Allows unauthorized connection tests to specified URLs.

Jenkins has released updated versions for all affected plugins to mitigate these risks. Administrators are urged to verify their plugin versions against the following table and upgrade immediately:

Credentials Binding Plugin: Upgrade to version 720.v3f6decef43ea_ or later.
GitHub Plugin: Upgrade to version 1.46.0.1 or later.
HTML Publisher Plugin: Upgrade to version 427.1 or later.
Matrix Authorization Strategy Plugin: Upgrade to version 3.2.10 or later.
Microsoft Entra ID Plugin: Upgrade to version 667.v4c5827a_e74a_0 or later.

Rate this post

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.

Critical Alert 1 Active Exploit Detected Today

Leave a Reply Cancel reply

Critical Alert 1 Active Exploit Detected Today

Support Our Threat Intelligence

Related posts:

Do Son

Leave a Reply Cancel reply