61
CVEs
2
Critical
15
High
0
KEV
1
PoC
2
Unpatched C/H
49.2%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
2
HIGH
15
MEDIUM
44
LOW
0
Monthly CVE Trend
Affected Products (30)
Jervis
7
Applitools Eyes
3
Cadence Vmanager
3
Java
3
Nouvola Divecloud
2
Sensedia Api Platform Tools
2
Statistics Gatherer
2
Qmetry Test Management
2
Readyapi Functional Testing
2
Asakusasatellite
2
Azure Service Fabric
2
Docker
2
Apica Loadtest
2
Vaddy
2
Xooa
2
Ibm Cloud Devops
1
Ifttt Build Notifier
1
User1st Utester
1
Virtual Appliance Host
1
Git Parameter
1
Stack Hammer
1
Opentelemetry
1
Monitor Remote Job
1
Global Build Stats
1
Ssh Slave
1
Warrior Framework
1
Testsigma Test Plan Run
1
Anchorchain
1
Ssh Agent
1
Credentials Binding
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-47889 | In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 9.8 | 0.1% | 49 |
No patch
|
| CVE-2026-33001 | Jenkins versions 2.554 and earlier (LTS 2.541.2 and earlier) contain a path traversal vulnerability in their handling of tar and tar.gz archive extraction that fails to safely process symbolic links, allowing attackers to write files to arbitrary filesystem locations. Attackers with Item/Configure permission or control over Jenkins agent processes can exploit this to deploy malicious scripts and plugins on the Jenkins controller, achieving code execution with the privileges of the Jenkins process. The vulnerability is particularly concerning because it affects the core Jenkins application and enables privilege escalation through plugin installation mechanisms. | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2026-33166 | Path traversal in Allure report generator for Jenkins allows unauthenticated attackers to read arbitrary files from the host system by crafting malicious test result files with specially crafted attachment paths. The vulnerability stems from insufficient path validation when processing attachments during report generation, enabling sensitive files to be included in generated reports. A patch is not currently available. | HIGH | 8.6 | 0.0% | 43 |
|
| CVE-2025-53652 | Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values into Git parameters. | HIGH | 8.2 | 0.0% | 41 |
|
| CVE-2026-27099 | Jenkins versions 2.483-2.550 and LTS 2.492.1-2.541.1 contain a stored XSS vulnerability in the agent offline cause description field that fails to properly sanitize user input. Attackers with Agent/Configure or Agent/Disconnect permissions can inject malicious scripts that execute in the browsers of other users viewing the affected agent configuration. No patch is currently available for this vulnerability. | HIGH | 8.0 | 0.0% | 40 |
|
| CVE-2025-5806 | A cross-site scripting vulnerability (CVSS 8.0). High severity vulnerability requiring prompt remediation. | HIGH | 8.0 | 0.0% | 40 |
|
| CVE-2025-68704 | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses java.util.Random() which is not cryptographically secure for timing attack mitigation. [CVSS 7.5 HIGH] | HIGH | 7.5 | 0.0% | 38 |
|
| CVE-2025-68931 | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, AES/CBC/PKCS5Padding lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation. [CVSS 7.5 HIGH] | HIGH | 7.5 | 0.0% | 38 |
|
| CVE-2025-68701 | Jervis versions up to 2.2 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5). | HIGH | 7.5 | 0.0% | 38 |
|
| CVE-2025-68702 | Jervis versions up to 2.2 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5). | HIGH | 7.5 | 0.0% | 38 |
|
| CVE-2026-33002 | Jenkins versions 2.442 through 2.554 and LTS 2.426.3 through 2.541.2 contain an origin validation bypass vulnerability in the CLI WebSocket endpoint that allows attackers to conduct DNS rebinding attacks. The vulnerability stems from improper use of Host and X-Forwarded-Host headers to compute expected request origins, enabling attackers to bypass authentication controls and potentially execute arbitrary commands through the CLI WebSocket interface. While no CVSS score, EPSS data, or active exploitation in the wild (KEV) status has been publicly disclosed, the vulnerability affects a critical Jenkins component and was responsibly disclosed by the Jenkins security team. | HIGH | 7.5 | 0.0% | 38 |
|
| CVE-2025-68703 | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). [CVSS 7.5 HIGH] | HIGH | 7.5 | 0.0% | 38 |
|
| CVE-2025-68698 | Jervis versions up to 2.2 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5). | HIGH | 7.5 | 0.0% | 38 |
|
| CVE-2025-53650 | Jenkins Credentials Binding Plugin 687.v619cb_15e923f and earlier does not properly mask (i.e., replace with asterisks) credentials present in exception error messages that are written to the build log. | HIGH | 7.3 | 0.1% | 37 |
|
| CVE-2025-53664 | CVE-2025-53664 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures. | MEDIUM | 6.5 | 0.1% | 33 |
No patch
|