What is the CVSS score of CVE-2025-5806?

CVE-2025-5806 has a CVSS 3.1 base score of 8.0 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Java are affected by CVE-2025-5806?

Jenkins Gatling Plugin contains a cross-site scripting (XSS) vulnerability that allows authenticated users with report modification capabilities to inject malicious scripts, potentially compromising…. A patch is available.

How to fix or mitigate CVE-2025-5806?

Within 24 hours: Identify all Jenkins instances running Gatling Plugin and document which users have permissions to modify reports. Within 7 days: Implement compensating controls (disable Gatling report serving if not critical, apply WAF rules, or restrict plugin access via network segmentation). Within 30 days: Monitor vendor advisories for patch availability and maintain an elevated alert posture for exploitation attempts.

Java CVE-2025-5806

EUVD-2025-17299 HIGH

Cross-site Scripting (XSS) (CWE-79)

2025-06-06 jenkinsci-cert@googlegroups.com

GHSA-gw97-cqwg-xmh4

XSS Java Jenkins Gatling

8.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 18:10 euvd

EUVD-2025-17299

Analysis Generated

Mar 14, 2026 - 18:10 vuln.today

CVE Published

Jun 06, 2025 - 14:15 nvd

HIGH 8.0

DescriptionNVD

Jenkins Gatling Plugin 136.vb_9009b_3d33a_e serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content.

AnalysisAI

A cross-site scripting vulnerability (CVSS 8.0). High severity vulnerability requiring prompt remediation.

Technical ContextAI

CWE-79 (Cross-site Scripting). CVSS 8.0 indicates high severity.

RemediationAI

Monitor vendor channels for patch availability.

More from same product – last 7 days

CVE-2026-48920 HIGH This Week

8.8 May 27

Arbitrary file disclosure in the Jenkins Email Extension Plugin (email-ext) versions 1933.v45cec755423f and earlier lets

CVE-2026-48922 HIGH This Week

7.5 May 27

Arbitrary file write in the Jenkins Credentials Binding Plugin (version 720.v3f6decef43ea_ and earlier) lets users who c

CVE-2026-48921 HIGH This Week

7.5 May 27

Arbitrary file read on the Jenkins controller is possible in the Jenkins 'Pipeline: Groovy Libraries Plugin' (version 79

CVE-2026-48919 MEDIUM This Month

6.6 May 27

Unsafe deserialization in Jenkins Active Directory Plugin 2.41 and earlier allows a remote attacker holding administrati

CVE-2026-48918 MEDIUM This Month

6.6 May 27

Server-Side Request Forgery in Jenkins Active Directory Plugin 2.41 and earlier enables a highly privileged attacker to

CVE-2025-5806 vulnerability details – vuln.today

Back

Java CVE-2025-5806

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code