Export limit exceeded: 363351 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 16500 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 363351 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (71 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-57304 | 1 Jenkins Project | 1 Jenkins Assembla Plugin | 2026-06-24 | 5.4 Medium |
| A missing permission check in Jenkins Assembla Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username and password. | ||||
| CVE-2026-57305 | 1 Jenkins Project | 1 Jenkins Assembla Plugin | 2026-06-24 | 5.4 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Assembla Plugin 1.4 and earlier allows attackers to connect to an attacker-specified URL using an attacker-specified username and password. | ||||
| CVE-2026-57306 | 1 Jenkins Project | 1 Jenkins Zowe Zdevops Plugin | 2026-06-24 | 4.2 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2026-57307 | 1 Jenkins Project | 1 Jenkins Zowe Zdevops Plugin | 2026-06-24 | 4.2 Medium |
| A missing permission check in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||||
| CVE-2026-57283 | 1 Jenkins Project | 1 Jenkins Pipeline Groovy Libraries Plugin | 2026-06-24 | 4.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier allows attackers to instantiate types related to job or system configuration other than Pipeline steps through the Pipeline Snippet Generator. | ||||
| CVE-2026-57284 | 1 Jenkins Project | 1 Jenkins Pipeline Groovy Libraries Plugin | 2026-06-24 | 4.3 Medium |
| Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps. | ||||
| CVE-2026-57281 | 1 Jenkins Project | 1 Jenkins Script Security Plugin | 2026-06-24 | 7.5 High |
| Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script. | ||||
| CVE-2026-57280 | 1 Jenkins Project | 1 Jenkins Script Security Plugin | 2026-06-24 | 8.8 High |
| Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loops in sandboxed Groovy scripts, allowing attackers able to provide such scripts to invoke arbitrary constructors and bypass the sandbox protection. | ||||
| CVE-2026-48917 | 2 Jenkins, Jenkins Project | 2 Ldap, Jenkins Ldap Plugin | 2026-06-18 | 6.6 Medium |
| Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation. | ||||
| CVE-2026-48919 | 2 Jenkins, Jenkins Project | 2 Active Directory, Jenkins Active Directory Plugin | 2026-06-18 | 6.6 Medium |
| Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation. | ||||
| CVE-2026-48922 | 2 Jenkins, Jenkins Project | 2 Credentials Binding, Jenkins Credentials Binding Plugin | 2026-06-18 | 7.5 High |
| Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node. | ||||
| CVE-2026-42520 | 2 Jenkins, Jenkins Project | 2 Credentials Binding, Jenkins Credentials Binding Plugin | 2026-06-18 | 7.5 High |
| Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node. | ||||
| CVE-2026-53441 | 2 Jenkins, Jenkins Project | 2 Jenkins, Jenkins | 2026-06-17 | 5.4 Medium |
| Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission. | ||||
| CVE-2026-53435 | 2 Jenkins, Jenkins Project | 2 Jenkins, Jenkins | 2026-06-12 | 8.8 High |
| In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller. | ||||
| CVE-2026-53442 | 2 Jenkins, Jenkins Project | 2 Jenkins, Jenkins | 2026-06-12 | 5.3 Medium |
| Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system. | ||||
| CVE-2026-53440 | 2 Jenkins, Jenkins Project | 2 Jenkins, Jenkins | 2026-06-12 | 4.3 Medium |
| Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled domain. | ||||
| CVE-2026-53436 | 2 Jenkins, Jenkins Project | 2 Jenkins, Jenkins | 2026-06-11 | 4.3 Medium |
| Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (`./` or `../`), allowing attackers to perform phishing attacks. | ||||
| CVE-2026-53437 | 2 Jenkins, Jenkins Project | 2 Jenkins, Jenkins | 2026-06-11 | 4.3 Medium |
| Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between `//`, allowing attackers to perform phishing attacks. | ||||
| CVE-2026-53438 | 2 Jenkins, Jenkins Project | 2 Jenkins, Jenkins | 2026-06-11 | 4.3 Medium |
| A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view. | ||||
| CVE-2026-53439 | 2 Jenkins, Jenkins Project | 2 Jenkins, Jenkins | 2026-06-11 | 4.3 Medium |
| Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views". | ||||