Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attacker must control the Assembla server's responses (a non-trivial precondition) so AC:H rather than AC:L; PR:L for the configured-integration foothold; high confidentiality from secret/file disclosure, low integrity via SSRF, no availability impact.
Primary rating from Vendor (jenkins).
CVSS VectorVendor: jenkins
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Jenkins Assembla Plugin 1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers able to control the responses of the configured Assembla server to extract secrets from the Jenkins controller or perform server-side request forgery.
Articles & Coverage 2
AnalysisAI
XML external entity (XXE) injection in the Jenkins Assembla Plugin version 1.4 and earlier lets an attacker who can control the HTTP responses of the configured Assembla server read sensitive files and secrets from the Jenkins controller and pivot into internal services via server-side request forgery. Mapped to CWE-918 (SSRF) with a CVSS 3.1 base score of 7.1 (high), there is no public exploit identified at time of analysis and CISA SSVC rates exploitation as 'none' with only partial technical impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker can control the HTTP/XML responses returned by the Assembla server that a Jenkins job is configured to communicate with - for example a compromised/malicious Assembla instance or a man-in-the-middle position on a non-validated or plaintext connection. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and point to a real-but-conditional issue rather than a drop-everything emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls or impersonates the Assembla server configured in a Jenkins job (via a compromised endpoint or a man-in-the-middle on an unencrypted connection) returns a crafted XML payload containing a malicious external entity. When the Jenkins controller parses that response, the XXE entity reads a local secret file (e.g., credentials) or forces the controller to issue requests to internal systems (SSRF). … |
| Remediation | No vendor-released patched version is identified in the available data, so a specific upgrade target cannot be cited; consult the Jenkins advisory at https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3692%20(1) for the current fix status and apply any released update once available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory Jenkins instances running Assembla Plugin and identify installed versions via plugin manager. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Jenkins Assembla Plugin
View allJenkins Assembla Plugin 1.4 and earlier exposes a connection-test endpoint without adequate permission enforcement, allo
A cross-site request forgery (CSRF) vulnerability in Jenkins Assembla Plugin 1.4 and earlier allows attackers to connect
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38784
GHSA-2q27-6p2h-q6r3