30
CVEs
0
Critical
6
High
0
KEV
0
PoC
6
Unpatched C/H
3.3%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
0
HIGH
6
MEDIUM
23
LOW
1
Monthly CVE Trend
Affected Products (30)
Java
148
Openshift
39
Openshift Container Platform
32
Script Security
29
Kubernetes
25
Pipeline
25
Communications Cloud Native Core Automated Test Suite
17
Open Redirect
14
Docker
12
Git
11
Build Failure Analyzer
10
Blue Ocean
10
Session Fixation
9
Email Extension
9
Ns Nd Integration Performance Publisher
8
Configuration As Code
8
Active Directory
7
Subversion
7
Openshift Deployer
7
Jervis
7
Rundeck
7
Saml Single Sign On
7
Openid Connect Authentication
7
Config File Provider
7
Google Compute Engine
6
Repository Connector
6
Electricflow
6
Gerrit Trigger
6
Openid
6
Deployment Dashboard
6
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-57301 | Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with | HIGH | 8.8 | 0.4% | 44 |
No patch
|
| CVE-2026-57280 | Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loo | HIGH | 8.8 | 0.4% | 44 |
No patch
|
| CVE-2026-57296 | Path traversal in the Jenkins External Workspace Manager Plugin (versions 1.3.2 and earlier) lets an attacker with Item/Configure permission supply traversal sequences in the custom workspace path of the exwsAllocate Pipeline step to read arbitrary files from the Jenkins controller filesystem, which the vendor notes can escalate to remote code execution. The flaw requires an authenticated low-privileged user (CVSS:3.1 PR:L, base 8.8) and is reported directly by the Jenkins security team. No public exploit identified at time of analysis, and CISA SSVC marks exploitation as none. | HIGH | 8.8 | 0.6% | 44 |
No patch
|
| CVE-2026-14336 | Server-side request forgery and OIDC token forgery in Eclipse CSI PIA lets an unauthenticated attacker abuse a flawed Jenkins issuer allowlist (a bare `startswith('https://ci.eclipse.org')` check in `is_issuer_known`, pia/models.py:139) to redirect OIDC discovery and JWKS fetches to an attacker-controlled host. By posting a crafted issuer such as `https://ci.eclipse.org@evil.host` or `https://ci.eclipse.org.evil.host` to `POST /v1/upload/sbom`, an attacker forces PIA to make outbound requests to arbitrary hosts and to accept a JWT signed with the attacker's own key, effectively bypassing token verification. No public exploit identified at time of analysis, but the flaw is unauthenticated and network-reachable, and the CVSS 3.1 base score is 8.2. | HIGH | 8.2 | 0.3% | 41 |
No patch
|
| CVE-2026-57281 | Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, all | HIGH | 7.5 | 0.4% | 38 |
No patch
|
| CVE-2026-57303 | XML external entity (XXE) injection in the Jenkins Assembla Plugin version 1.4 and earlier lets an attacker who can control the HTTP responses of the configured Assembla server read sensitive files and secrets from the Jenkins controller and pivot into internal services via server-side request forgery. Mapped to CWE-918 (SSRF) with a CVSS 3.1 base score of 7.1 (high), there is no public exploit identified at time of analysis and CISA SSVC rates exploitation as 'none' with only partial technical impact. Exploitation requires the attacker to influence what the Assembla endpoint returns, so it is a targeted rather than mass-exploitable condition. | HIGH | 7.1 | 0.2% | 36 |
No patch
|
| CVE-2026-55847 | Stored XSS in allure-generator (versions <= 2.38.1) allows arbitrary JavaScript execution in the browser of anyone who views a generated Allure report containing crafted test result data. The vulnerable `ansi.js` Handlebars helper passes unsanitized `statusMessage` and `statusTrace` values - sourced from JUnit XML failure messages and equivalent fields in TRX, xUnit XML, xctest, and Allure 1/2 plugins - through `ansi-to-html` without HTML escaping, then wraps the output in `SafeString` to bypass Handlebars' auto-escape protection. A publicly available proof-of-concept demonstrates exploitation via a crafted JUnit XML file; the attack is particularly relevant to CI/CD environments (Jenkins, GitLab, GitHub Actions) where reports are served on shared infrastructure with active authenticated sessions. | MEDIUM | 6.1 | – | 30 |
|
| CVE-2026-57304 | Jenkins Assembla Plugin 1.4 and earlier exposes a connection-test endpoint without adequate permission enforcement, allowing any Jenkins user holding only Overall/Read permission to trigger outbound HTTP connections to an arbitrary attacker-controlled URL with attacker-supplied credentials. This enables both a limited Server-Side Request Forgery (SSRF) vector for internal network probing and credential interception on the attacker's endpoint. No public exploit code or active exploitation has been identified at time of analysis; SSVC assessment confirms exploitation status as none. | MEDIUM | 5.4 | 0.1% | 27 |
No patch
|
| CVE-2026-57294 | Missing permission check in Jenkins EC2 Fleet Plugin versions up to 4.2.3.539.v8fedff2a_81c3 enables any authenticated user holding the low-privilege Overall/Read role to trigger a credential-capture attack by directing the plugin to connect to an attacker-controlled endpoint and transmitting AWS credentials stored in Jenkins. The attacker must independently obtain a valid credential ID before exploiting this flaw, making it a chained attack rather than a direct standalone exploit. No public exploit code has been identified at time of analysis and CISA has not added this to the KEV catalog; SSVC rates exploitation status as none. | MEDIUM | 5.4 | 0.1% | 27 |
No patch
|
| CVE-2026-57305 | A cross-site request forgery (CSRF) vulnerability in Jenkins Assembla Plugin 1.4 and earlier allows attackers to connect to an attacker-specified URL | MEDIUM | 5.4 | 0.1% | 27 |
No patch
|
| CVE-2026-57295 | Cross-site request forgery in Jenkins EC2 Fleet Plugin versions through 4.2.3.539.v8fedff2a_81c3 enables a network attacker to force Jenkins to connect to an attacker-controlled endpoint using AWS credentials stored in Jenkins, effectively exfiltrating those credentials. All Jenkins instances with this plugin installed and AWS credentials configured are at risk. No active exploitation is confirmed (not in CISA KEV), SSVC rates this as non-automatable with partial technical impact, and no public exploit code has been identified at time of analysis. | MEDIUM | 5.4 | 0.1% | 27 |
No patch
|
| CVE-2026-57292 | Cross-site request forgery in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allows network-accessible attackers to force a Jenkins instance to initiate connections to attacker-controlled URLs, using credential IDs previously obtained through a separate method. The CVSS vector confirms a low-privileged authenticated attacker posture (PR:L), meaning the victim must hold an active Jenkins session. No active exploitation is confirmed per CISA KEV, and the SSVC framework rates exploitation as currently none with partial technical impact. | MEDIUM | 5.4 | 0.1% | 27 |
No patch
|
| CVE-2026-57291 | Missing permission checks in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allow any authenticated user holding the minimal Overall/Read Jenkins role to trigger outbound connections from the Jenkins controller to an attacker-specified URL using credential IDs sourced through a secondary method. This creates an SSRF-like primitive enabling internal network probing and credential ID validation without administrative access. No public exploit code has been identified at time of analysis, and SSVC confirms current exploitation status as none. | MEDIUM | 5.4 | 0.1% | 27 |
No patch
|
| CVE-2026-57298 | Cross-site request forgery in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows a remote attacker to force a Jenkins instance to establish outbound connections to an arbitrary attacker-controlled URL, supplying attacker-chosen credentials including a username, API key, and service key. Any authenticated Jenkins user can be the unwitting victim if tricked into visiting a crafted page while logged in. No public exploit code or confirmed active exploitation has been identified at time of analysis, and SSVC rates exploitation likelihood as none with partial technical impact. | MEDIUM | 5.4 | 0.1% | 27 |
No patch
|
| CVE-2026-57282 | Jenkins Git client Plugin 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into a generated SSH wrapper sc | MEDIUM | 5.0 | 0.2% | 25 |
No patch
|