15
CVEs
0
Critical
10
High
0
KEV
0
PoC
0
Unpatched C/H
100.0%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
0
HIGH
10
MEDIUM
5
LOW
0
Monthly CVE Trend
Affected Products (30)
Jervis
7
Applitools Eyes
3
Cadence Vmanager
3
Java
3
Nouvola Divecloud
2
Sensedia Api Platform Tools
2
Statistics Gatherer
2
Qmetry Test Management
2
Readyapi Functional Testing
2
Asakusasatellite
2
Azure Service Fabric
2
Docker
2
Apica Loadtest
2
Vaddy
2
Xooa
2
Ibm Cloud Devops
1
Ifttt Build Notifier
1
User1st Utester
1
Virtual Appliance Host
1
Git Parameter
1
Stack Hammer
1
Opentelemetry
1
Monitor Remote Job
1
Global Build Stats
1
Ssh Slave
1
Warrior Framework
1
Testsigma Test Plan Run
1
Anchorchain
1
Ssh Agent
1
Credentials Binding
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-33001 | Jenkins versions 2.554 and earlier (LTS 2.541.2 and earlier) contain a path traversal vulnerability in their handling of tar and tar.gz archive extraction that fails to safely process symbolic links, allowing attackers to write files to arbitrary filesystem locations. Attackers with Item/Configure permission or control over Jenkins agent processes can exploit this to deploy malicious scripts and plugins on the Jenkins controller, achieving code execution with the privileges of the Jenkins process. The vulnerability is particularly concerning because it affects the core Jenkins application and enables privilege escalation through plugin installation mechanisms. | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2026-33166 | Path traversal in Allure report generator for Jenkins allows unauthenticated attackers to read arbitrary files from the host system by crafting malicious test result files with specially crafted attachment paths. The vulnerability stems from insufficient path validation when processing attachments during report generation, enabling sensitive files to be included in generated reports. A patch is not currently available. | HIGH | 8.6 | 0.0% | 43 |
|
| CVE-2026-27099 | Jenkins versions 2.483-2.550 and LTS 2.492.1-2.541.1 contain a stored XSS vulnerability in the agent offline cause description field that fails to properly sanitize user input. Attackers with Agent/Configure or Agent/Disconnect permissions can inject malicious scripts that execute in the browsers of other users viewing the affected agent configuration. No patch is currently available for this vulnerability. | HIGH | 8.0 | 0.0% | 40 |
|
| CVE-2025-68704 | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses java.util.Random() which is not cryptographically secure for timing attack mitigation. [CVSS 7.5 HIGH] | HIGH | 7.5 | 0.0% | 38 |
|
| CVE-2025-68931 | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, AES/CBC/PKCS5Padding lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation. [CVSS 7.5 HIGH] | HIGH | 7.5 | 0.0% | 38 |
|
| CVE-2025-68701 | Jervis versions up to 2.2 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5). | HIGH | 7.5 | 0.0% | 38 |
|
| CVE-2025-68702 | Jervis versions up to 2.2 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5). | HIGH | 7.5 | 0.0% | 38 |
|
| CVE-2026-33002 | Jenkins versions 2.442 through 2.554 and LTS 2.426.3 through 2.541.2 contain an origin validation bypass vulnerability in the CLI WebSocket endpoint that allows attackers to conduct DNS rebinding attacks. The vulnerability stems from improper use of Host and X-Forwarded-Host headers to compute expected request origins, enabling attackers to bypass authentication controls and potentially execute arbitrary commands through the CLI WebSocket interface. While no CVSS score, EPSS data, or active exploitation in the wild (KEV) status has been publicly disclosed, the vulnerability affects a critical Jenkins component and was responsibly disclosed by the Jenkins security team. | HIGH | 7.5 | 0.0% | 38 |
|
| CVE-2025-68703 | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). [CVSS 7.5 HIGH] | HIGH | 7.5 | 0.0% | 38 |
|
| CVE-2025-68698 | Jervis versions up to 2.2 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5). | HIGH | 7.5 | 0.0% | 38 |
|
| CVE-2025-13472 | A remote code execution vulnerability in BlazeMeter Jenkins Plugin (CVSS 5.3) that allows users only with certain permissions. Remediation should follow standard vulnerability management procedures. | MEDIUM | 5.3 | 0.0% | 27 |
|
| CVE-2025-68925 | Jervis versions up to 2.2 is affected by improper verification of cryptographic signature (CVSS 5.3). | MEDIUM | 5.3 | 0.0% | 27 |
|
| CVE-2026-27100 | Jenkins versions 2.550 and earlier fail to properly validate Run Parameter access controls, allowing authenticated users with Item/Build and Item/Configure permissions to enumerate sensitive information about jobs, builds, and their display names they should not have access to. This information disclosure vulnerability affects Jenkins LTS 2.541.1 and earlier, with no patch currently available. Attackers can exploit this to gather intelligence about build infrastructure by referencing builds outside their authorized scope. | MEDIUM | 4.3 | 0.1% | 22 |
|
| CVE-2026-33003 | The Jenkins LoadNinja Plugin versions 2.1 and earlier stores LoadNinja API keys in plaintext within job configuration files (config.xml) on the Jenkins controller, allowing unauthorized disclosure of sensitive credentials. Users with Item/Extended Read permission on Jenkins jobs or direct file system access to the controller can extract these API keys, potentially leading to account compromise and unauthorized access to LoadNinja services. This is a straightforward credential exposure vulnerability with no complexity barriers to exploitation once access is gained. | MEDIUM | 4.3 | 0.0% | 22 |
|
| CVE-2026-33004 | The Jenkins LoadNinja Plugin version 2.1 and earlier fails to mask LoadNinja API keys displayed on the job configuration form, allowing attackers with access to the Jenkins web interface to observe and capture sensitive credentials. This information disclosure vulnerability affects Jenkins administrators and users with job configuration visibility, enabling credential theft that could lead to unauthorized access to LoadNinja services and associated testing infrastructure. No CVSS score, EPSS data, or active exploitation status (KEV listing) is currently available in public sources. | MEDIUM | 4.3 | 0.0% | 22 |
|