69
CVEs
1
Critical
17
High
0
KEV
1
PoC
7
Unpatched C/H
44.9%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
1
HIGH
17
MEDIUM
49
LOW
2
Monthly CVE Trend
Affected Products (30)
Java
148
Openshift
39
Openshift Container Platform
32
Script Security
29
Kubernetes
25
Pipeline
25
Communications Cloud Native Core Automated Test Suite
17
Open Redirect
14
Docker
12
Git
11
Build Failure Analyzer
10
Blue Ocean
10
Session Fixation
9
Email Extension
9
Ns Nd Integration Performance Publisher
8
Configuration As Code
8
Active Directory
7
Subversion
7
Openshift Deployer
7
Jervis
7
Rundeck
7
Saml Single Sign On
7
Openid Connect Authentication
7
Config File Provider
7
Google Compute Engine
6
Repository Connector
6
Electricflow
6
Gerrit Trigger
6
Openid
6
Deployment Dashboard
6
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-42523 | Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub | CRITICAL | 9.0 | 0.0% | 45 |
|
| CVE-2026-57301 | Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with | HIGH | 8.8 | 0.4% | 44 |
No patch
|
| CVE-2026-57280 | Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loo | HIGH | 8.8 | 0.4% | 44 |
No patch
|
| CVE-2026-53435 | Authenticated remote code execution in Jenkins 2.567 and earlier (LTS 2.555.2 and earlier) allows attackers with permission to submit config.xml to trigger deserialization of arbitrary core or plugin types that subsequently handle HTTP requests, enabling user impersonation, Script Console abuse, and arbitrary file reads from the controller. The flaw is tracked as a CWE-502 unsafe deserialization issue with a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). No public exploit identified at time of analysis, but the vendor (Jenkins project) has issued a coordinated advisory and patched releases. | HIGH | 8.8 | 0.1% | 44 |
No patch
|
| CVE-2026-48920 | Arbitrary file disclosure in the Jenkins Email Extension Plugin (email-ext) versions 1933.v45cec755423f and earlier lets users who can control email content abuse the data-inline image attribute to supply file: URLs, causing the Jenkins controller to read local files and embed their contents as base64 inside outgoing emails. An authenticated attacker with rights to edit job email configuration or templates (CVSS PR:L) can exfiltrate controller secrets, credentials, and configuration. There is no public exploit identified at time of analysis and CISA's SSVC rates exploitation as none, but the CVSS 8.8 score and 'total' technical impact make controller secret theft a serious concern in shared Jenkins environments. | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2026-33001 | Jenkins versions 2.554 and earlier (LTS 2.541.2 and earlier) contain a path traversal vulnerability in their handling of tar and tar.gz archive extraction that fails to safely process symbolic links, allowing attackers to write files to arbitrary filesystem locations. Attackers with Item/Configure permission or control over Jenkins agent processes can exploit this to deploy malicious scripts and plugins on the Jenkins controller, achieving code execution with the privileges of the Jenkins process. The vulnerability is particularly concerning because it affects the core Jenkins application and enables privilege escalation through plugin installation mechanisms. | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2026-57296 | Path traversal in the Jenkins External Workspace Manager Plugin (versions 1.3.2 and earlier) lets an attacker with Item/Configure permission supply traversal sequences in the custom workspace path of the exwsAllocate Pipeline step to read arbitrary files from the Jenkins controller filesystem, which the vendor notes can escalate to remote code execution. The flaw requires an authenticated low-privileged user (CVSS:3.1 PR:L, base 8.8) and is reported directly by the Jenkins security team. No public exploit identified at time of analysis, and CISA SSVC marks exploitation as none. | HIGH | 8.8 | 0.6% | 44 |
No patch
|
| CVE-2026-33166 | Path traversal in Allure report generator for Jenkins allows unauthenticated attackers to read arbitrary files from the host system by crafting malicious test result files with specially crafted attachment paths. The vulnerability stems from insufficient path validation when processing attachments during report generation, enabling sensitive files to be included in generated reports. A patch is not currently available. | HIGH | 8.6 | 0.0% | 43 |
|
| CVE-2026-14336 | Server-side request forgery and OIDC token forgery in Eclipse CSI PIA lets an unauthenticated attacker abuse a flawed Jenkins issuer allowlist (a bare `startswith('https://ci.eclipse.org')` check in `is_issuer_known`, pia/models.py:139) to redirect OIDC discovery and JWKS fetches to an attacker-controlled host. By posting a crafted issuer such as `https://ci.eclipse.org@evil.host` or `https://ci.eclipse.org.evil.host` to `POST /v1/upload/sbom`, an attacker forces PIA to make outbound requests to arbitrary hosts and to accept a JWT signed with the attacker's own key, effectively bypassing token verification. No public exploit identified at time of analysis, but the flaw is unauthenticated and network-reachable, and the CVSS 3.1 base score is 8.2. | HIGH | 8.2 | 0.3% | 41 |
No patch
|
| CVE-2026-27099 | Jenkins versions 2.483-2.550 and LTS 2.492.1-2.541.1 contain a stored XSS vulnerability in the agent offline cause description field that fails to properly sanitize user input. Attackers with Agent/Configure or Agent/Disconnect permissions can inject malicious scripts that execute in the browsers of other users viewing the affected agent configuration. No patch is currently available for this vulnerability. | HIGH | 8.0 | 0.0% | 40 |
|
| CVE-2026-42524 | Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting | HIGH | 8.0 | 0.0% | 40 |
|
| CVE-2026-57281 | Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, all | HIGH | 7.5 | 0.4% | 38 |
No patch
|
| CVE-2026-42520 | Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers a | HIGH | 7.5 | 0.3% | 38 |
|
| CVE-2026-48922 | Arbitrary file write in the Jenkins Credentials Binding Plugin (version 720.v3f6decef43ea_ and earlier) lets users who can supply file or zip-file credentials to a job write files to attacker-chosen paths on the node filesystem, escalating to remote code execution when Jenkins is configured to let a low-privileged user configure such credentials for a job running on the built-in node. The flaw stems from missing file-name sanitization on the file and zip credential types. Rated CVSS 7.5 with high attack complexity (AC:H); no public exploit identified at time of analysis and the issue is not in CISA KEV. | HIGH | 7.5 | 0.2% | 38 |
|
| CVE-2026-48921 | Arbitrary file read on the Jenkins controller is possible in the Jenkins 'Pipeline: Groovy Libraries Plugin' (version 797.v90ea_a_9b_e45a_0 and earlier), where the plugin fails to prohibit symbolic links inside shared libraries. An attacker who can control the contents of a shared library consumed by a Pipeline job can plant symlinks that resolve to sensitive files (credentials, secrets, configuration) on the controller filesystem and exfiltrate them through the build. There is no public exploit identified at time of analysis, and SSVC marks exploitation status as none, so this is a patch-and-move-on issue rather than an active-exploitation emergency. | HIGH | 7.5 | 0.0% | 38 |
|