Unpatched XSS Vulnerability in Jenkins Gatling Plugin Puts Users at Risk (CVE-2025-5806)
Ddos 
The Jenkins community has issued a high-severity security advisory for a newly disclosed vulnerability in the Gatling Pluginβa popular tool used for integrating performance testing reports into Jenkins CI pipelines.
Designated CVE-2025-5806, the vulnerability has been assigned a CVSS score of 8.0, marking it as high severity. The flaw resides in Gatling Plugin version 136.vb_9009b_3d33a_e, which, due to implementation issues, bypasses the Content-Security-Policy (CSP) protections introduced in Jenkins 1.641 and 1.625.3.
This improper handling of CSP headers opens the door for cross-site scripting (XSS) attacksβespecially in environments where users can modify or upload Gatling report content. If exploited, attackers could inject malicious JavaScript into Jenkins dashboards, enabling:
- Session hijacking
- Credential theft
- Redirection to malicious websites
- Persistent control over the Jenkins interface
This is particularly dangerous in shared or enterprise Jenkins environments, where multiple users interact with reporting features.
As of now, no official patch or fix has been released. The Jenkins team advises affected users to downgrade to Gatling Plugin version 1.3.0, which does not suffer from this vulnerability.
Related Posts:
- TeamTNT’s “Docker Gatling Gun” Campaign Targets Exposed Cloud Environments with New Sliver Malware
- Hackers earn $3 million by exploiting Jenkins servers and inserting mining Monero scripts
- Misconfigured Jenkins Servers Targeted in Cryptojacking Attacks
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
