Vulnerability-Lookup

WID-SEC-W-2026-1707

Vulnerability from csaf_certbund - Published: 2026-05-27 22:00 - Updated: 2026-05-27 22:00

Summary

Jenkins Plugins: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Jenkins ist ein erweiterbarer, webbasierter Integration Server zur kontinuierlichen Unterstützung bei Softwareentwicklungen aller Art.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Jenkins Plugins ausnutzen, um Informationen offenzulegen, um Dateien zu manipulieren, um einen Cross-Site Scripting Angriff durchzuführen, um beliebigen Programmcode auszuführen, und um Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme: - Linux - Sonstiges - UNIX - Windows

CVE-2026-48916

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
Jenkins Jenkins GitHub Integration Plugin <0.7.4 Jenkins / Jenkins		GitHub Integration Plugin <0.7.4
Jenkins Jenkins Email Extension Plugin <1933.1935.v276319e3cc47 Jenkins / Jenkins		Email Extension Plugin <1933.1935.v276319e3cc47
Jenkins Jenkins Credentials Binding Plugin <725.ve52b_2328a_fde Jenkins / Jenkins		Credentials Binding Plugin <725.ve52b_2328a_fde
Jenkins Jenkins Bitbucket OAuth Plugin <0.18 Jenkins / Jenkins		Bitbucket OAuth Plugin <0.18
Jenkins Jenkins AppSpider Plugin <1.0.18 Jenkins / Jenkins		AppSpider Plugin <1.0.18
Jenkins Jenkins Active Directory Plugin <2.41.1 Jenkins / Jenkins		Active Directory Plugin <2.41.1
Jenkins Jenkins Pipeline: Groovy Libraries Plugin <798.v5cc688825312 Jenkins / Jenkins		Pipeline: Groovy Libraries Plugin <798.v5cc688825312
Jenkins Jenkins Multijob Plugin <669.v9d96a_d9c71b_0 Jenkins / Jenkins		Multijob Plugin <669.v9d96a_d9c71b_0
Jenkins Jenkins LDAP Plugin <807.809.vd3a_4e5e4ec98 Jenkins / Jenkins		LDAP Plugin <807.809.vd3a_4e5e4ec98
Jenkins Jenkins Job Import Plugin <143.145.v48f9a_a_6ff384 Jenkins / Jenkins		Job Import Plugin <143.145.v48f9a_a_6ff384

CVE-2026-48917

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
Jenkins Jenkins GitHub Integration Plugin <0.7.4 Jenkins / Jenkins		GitHub Integration Plugin <0.7.4
Jenkins Jenkins Email Extension Plugin <1933.1935.v276319e3cc47 Jenkins / Jenkins		Email Extension Plugin <1933.1935.v276319e3cc47
Jenkins Jenkins Credentials Binding Plugin <725.ve52b_2328a_fde Jenkins / Jenkins		Credentials Binding Plugin <725.ve52b_2328a_fde
Jenkins Jenkins Bitbucket OAuth Plugin <0.18 Jenkins / Jenkins		Bitbucket OAuth Plugin <0.18
Jenkins Jenkins AppSpider Plugin <1.0.18 Jenkins / Jenkins		AppSpider Plugin <1.0.18
Jenkins Jenkins Active Directory Plugin <2.41.1 Jenkins / Jenkins		Active Directory Plugin <2.41.1
Jenkins Jenkins Pipeline: Groovy Libraries Plugin <798.v5cc688825312 Jenkins / Jenkins		Pipeline: Groovy Libraries Plugin <798.v5cc688825312
Jenkins Jenkins Multijob Plugin <669.v9d96a_d9c71b_0 Jenkins / Jenkins		Multijob Plugin <669.v9d96a_d9c71b_0
Jenkins Jenkins LDAP Plugin <807.809.vd3a_4e5e4ec98 Jenkins / Jenkins		LDAP Plugin <807.809.vd3a_4e5e4ec98
Jenkins Jenkins Job Import Plugin <143.145.v48f9a_a_6ff384 Jenkins / Jenkins		Job Import Plugin <143.145.v48f9a_a_6ff384

CVE-2026-48918

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
Jenkins Jenkins GitHub Integration Plugin <0.7.4 Jenkins / Jenkins		GitHub Integration Plugin <0.7.4
Jenkins Jenkins Email Extension Plugin <1933.1935.v276319e3cc47 Jenkins / Jenkins		Email Extension Plugin <1933.1935.v276319e3cc47
Jenkins Jenkins Credentials Binding Plugin <725.ve52b_2328a_fde Jenkins / Jenkins		Credentials Binding Plugin <725.ve52b_2328a_fde
Jenkins Jenkins Bitbucket OAuth Plugin <0.18 Jenkins / Jenkins		Bitbucket OAuth Plugin <0.18
Jenkins Jenkins AppSpider Plugin <1.0.18 Jenkins / Jenkins		AppSpider Plugin <1.0.18
Jenkins Jenkins Active Directory Plugin <2.41.1 Jenkins / Jenkins		Active Directory Plugin <2.41.1
Jenkins Jenkins Pipeline: Groovy Libraries Plugin <798.v5cc688825312 Jenkins / Jenkins		Pipeline: Groovy Libraries Plugin <798.v5cc688825312
Jenkins Jenkins Multijob Plugin <669.v9d96a_d9c71b_0 Jenkins / Jenkins		Multijob Plugin <669.v9d96a_d9c71b_0
Jenkins Jenkins LDAP Plugin <807.809.vd3a_4e5e4ec98 Jenkins / Jenkins		LDAP Plugin <807.809.vd3a_4e5e4ec98
Jenkins Jenkins Job Import Plugin <143.145.v48f9a_a_6ff384 Jenkins / Jenkins		Job Import Plugin <143.145.v48f9a_a_6ff384

CVE-2026-48919

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
Jenkins Jenkins GitHub Integration Plugin <0.7.4 Jenkins / Jenkins		GitHub Integration Plugin <0.7.4
Jenkins Jenkins Email Extension Plugin <1933.1935.v276319e3cc47 Jenkins / Jenkins		Email Extension Plugin <1933.1935.v276319e3cc47
Jenkins Jenkins Credentials Binding Plugin <725.ve52b_2328a_fde Jenkins / Jenkins		Credentials Binding Plugin <725.ve52b_2328a_fde
Jenkins Jenkins Bitbucket OAuth Plugin <0.18 Jenkins / Jenkins		Bitbucket OAuth Plugin <0.18
Jenkins Jenkins AppSpider Plugin <1.0.18 Jenkins / Jenkins		AppSpider Plugin <1.0.18
Jenkins Jenkins Active Directory Plugin <2.41.1 Jenkins / Jenkins		Active Directory Plugin <2.41.1
Jenkins Jenkins Pipeline: Groovy Libraries Plugin <798.v5cc688825312 Jenkins / Jenkins		Pipeline: Groovy Libraries Plugin <798.v5cc688825312
Jenkins Jenkins Multijob Plugin <669.v9d96a_d9c71b_0 Jenkins / Jenkins		Multijob Plugin <669.v9d96a_d9c71b_0
Jenkins Jenkins LDAP Plugin <807.809.vd3a_4e5e4ec98 Jenkins / Jenkins		LDAP Plugin <807.809.vd3a_4e5e4ec98
Jenkins Jenkins Job Import Plugin <143.145.v48f9a_a_6ff384 Jenkins / Jenkins		Job Import Plugin <143.145.v48f9a_a_6ff384

CVE-2026-48920

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
Jenkins Jenkins GitHub Integration Plugin <0.7.4 Jenkins / Jenkins		GitHub Integration Plugin <0.7.4
Jenkins Jenkins Email Extension Plugin <1933.1935.v276319e3cc47 Jenkins / Jenkins		Email Extension Plugin <1933.1935.v276319e3cc47
Jenkins Jenkins Credentials Binding Plugin <725.ve52b_2328a_fde Jenkins / Jenkins		Credentials Binding Plugin <725.ve52b_2328a_fde
Jenkins Jenkins Bitbucket OAuth Plugin <0.18 Jenkins / Jenkins		Bitbucket OAuth Plugin <0.18
Jenkins Jenkins AppSpider Plugin <1.0.18 Jenkins / Jenkins		AppSpider Plugin <1.0.18
Jenkins Jenkins Active Directory Plugin <2.41.1 Jenkins / Jenkins		Active Directory Plugin <2.41.1
Jenkins Jenkins Pipeline: Groovy Libraries Plugin <798.v5cc688825312 Jenkins / Jenkins		Pipeline: Groovy Libraries Plugin <798.v5cc688825312
Jenkins Jenkins Multijob Plugin <669.v9d96a_d9c71b_0 Jenkins / Jenkins		Multijob Plugin <669.v9d96a_d9c71b_0
Jenkins Jenkins LDAP Plugin <807.809.vd3a_4e5e4ec98 Jenkins / Jenkins		LDAP Plugin <807.809.vd3a_4e5e4ec98
Jenkins Jenkins Job Import Plugin <143.145.v48f9a_a_6ff384 Jenkins / Jenkins		Job Import Plugin <143.145.v48f9a_a_6ff384

CVE-2026-48921

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
Jenkins Jenkins GitHub Integration Plugin <0.7.4 Jenkins / Jenkins		GitHub Integration Plugin <0.7.4
Jenkins Jenkins Email Extension Plugin <1933.1935.v276319e3cc47 Jenkins / Jenkins		Email Extension Plugin <1933.1935.v276319e3cc47
Jenkins Jenkins Credentials Binding Plugin <725.ve52b_2328a_fde Jenkins / Jenkins		Credentials Binding Plugin <725.ve52b_2328a_fde
Jenkins Jenkins Bitbucket OAuth Plugin <0.18 Jenkins / Jenkins		Bitbucket OAuth Plugin <0.18
Jenkins Jenkins AppSpider Plugin <1.0.18 Jenkins / Jenkins		AppSpider Plugin <1.0.18
Jenkins Jenkins Active Directory Plugin <2.41.1 Jenkins / Jenkins		Active Directory Plugin <2.41.1
Jenkins Jenkins Pipeline: Groovy Libraries Plugin <798.v5cc688825312 Jenkins / Jenkins		Pipeline: Groovy Libraries Plugin <798.v5cc688825312
Jenkins Jenkins Multijob Plugin <669.v9d96a_d9c71b_0 Jenkins / Jenkins		Multijob Plugin <669.v9d96a_d9c71b_0
Jenkins Jenkins LDAP Plugin <807.809.vd3a_4e5e4ec98 Jenkins / Jenkins		LDAP Plugin <807.809.vd3a_4e5e4ec98
Jenkins Jenkins Job Import Plugin <143.145.v48f9a_a_6ff384 Jenkins / Jenkins		Job Import Plugin <143.145.v48f9a_a_6ff384

CVE-2026-48922

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
Jenkins Jenkins GitHub Integration Plugin <0.7.4 Jenkins / Jenkins		GitHub Integration Plugin <0.7.4
Jenkins Jenkins Email Extension Plugin <1933.1935.v276319e3cc47 Jenkins / Jenkins		Email Extension Plugin <1933.1935.v276319e3cc47
Jenkins Jenkins Credentials Binding Plugin <725.ve52b_2328a_fde Jenkins / Jenkins		Credentials Binding Plugin <725.ve52b_2328a_fde
Jenkins Jenkins Bitbucket OAuth Plugin <0.18 Jenkins / Jenkins		Bitbucket OAuth Plugin <0.18
Jenkins Jenkins AppSpider Plugin <1.0.18 Jenkins / Jenkins		AppSpider Plugin <1.0.18
Jenkins Jenkins Active Directory Plugin <2.41.1 Jenkins / Jenkins		Active Directory Plugin <2.41.1
Jenkins Jenkins Pipeline: Groovy Libraries Plugin <798.v5cc688825312 Jenkins / Jenkins		Pipeline: Groovy Libraries Plugin <798.v5cc688825312
Jenkins Jenkins Multijob Plugin <669.v9d96a_d9c71b_0 Jenkins / Jenkins		Multijob Plugin <669.v9d96a_d9c71b_0
Jenkins Jenkins LDAP Plugin <807.809.vd3a_4e5e4ec98 Jenkins / Jenkins		LDAP Plugin <807.809.vd3a_4e5e4ec98
Jenkins Jenkins Job Import Plugin <143.145.v48f9a_a_6ff384 Jenkins / Jenkins		Job Import Plugin <143.145.v48f9a_a_6ff384

CVE-2026-48923

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
Jenkins Jenkins GitHub Integration Plugin <0.7.4 Jenkins / Jenkins		GitHub Integration Plugin <0.7.4
Jenkins Jenkins Email Extension Plugin <1933.1935.v276319e3cc47 Jenkins / Jenkins		Email Extension Plugin <1933.1935.v276319e3cc47
Jenkins Jenkins Credentials Binding Plugin <725.ve52b_2328a_fde Jenkins / Jenkins		Credentials Binding Plugin <725.ve52b_2328a_fde
Jenkins Jenkins Bitbucket OAuth Plugin <0.18 Jenkins / Jenkins		Bitbucket OAuth Plugin <0.18
Jenkins Jenkins AppSpider Plugin <1.0.18 Jenkins / Jenkins		AppSpider Plugin <1.0.18
Jenkins Jenkins Active Directory Plugin <2.41.1 Jenkins / Jenkins		Active Directory Plugin <2.41.1
Jenkins Jenkins Pipeline: Groovy Libraries Plugin <798.v5cc688825312 Jenkins / Jenkins		Pipeline: Groovy Libraries Plugin <798.v5cc688825312
Jenkins Jenkins Multijob Plugin <669.v9d96a_d9c71b_0 Jenkins / Jenkins		Multijob Plugin <669.v9d96a_d9c71b_0
Jenkins Jenkins LDAP Plugin <807.809.vd3a_4e5e4ec98 Jenkins / Jenkins		LDAP Plugin <807.809.vd3a_4e5e4ec98
Jenkins Jenkins Job Import Plugin <143.145.v48f9a_a_6ff384 Jenkins / Jenkins		Job Import Plugin <143.145.v48f9a_a_6ff384

CVE-2026-48924

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
Jenkins Jenkins GitHub Integration Plugin <0.7.4 Jenkins / Jenkins		GitHub Integration Plugin <0.7.4
Jenkins Jenkins Email Extension Plugin <1933.1935.v276319e3cc47 Jenkins / Jenkins		Email Extension Plugin <1933.1935.v276319e3cc47
Jenkins Jenkins Credentials Binding Plugin <725.ve52b_2328a_fde Jenkins / Jenkins		Credentials Binding Plugin <725.ve52b_2328a_fde
Jenkins Jenkins Bitbucket OAuth Plugin <0.18 Jenkins / Jenkins		Bitbucket OAuth Plugin <0.18
Jenkins Jenkins AppSpider Plugin <1.0.18 Jenkins / Jenkins		AppSpider Plugin <1.0.18
Jenkins Jenkins Active Directory Plugin <2.41.1 Jenkins / Jenkins		Active Directory Plugin <2.41.1
Jenkins Jenkins Pipeline: Groovy Libraries Plugin <798.v5cc688825312 Jenkins / Jenkins		Pipeline: Groovy Libraries Plugin <798.v5cc688825312
Jenkins Jenkins Multijob Plugin <669.v9d96a_d9c71b_0 Jenkins / Jenkins		Multijob Plugin <669.v9d96a_d9c71b_0
Jenkins Jenkins LDAP Plugin <807.809.vd3a_4e5e4ec98 Jenkins / Jenkins		LDAP Plugin <807.809.vd3a_4e5e4ec98
Jenkins Jenkins Job Import Plugin <143.145.v48f9a_a_6ff384 Jenkins / Jenkins		Job Import Plugin <143.145.v48f9a_a_6ff384

CVE-2026-48925

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
Jenkins Jenkins GitHub Integration Plugin <0.7.4 Jenkins / Jenkins		GitHub Integration Plugin <0.7.4
Jenkins Jenkins Email Extension Plugin <1933.1935.v276319e3cc47 Jenkins / Jenkins		Email Extension Plugin <1933.1935.v276319e3cc47
Jenkins Jenkins Credentials Binding Plugin <725.ve52b_2328a_fde Jenkins / Jenkins		Credentials Binding Plugin <725.ve52b_2328a_fde
Jenkins Jenkins Bitbucket OAuth Plugin <0.18 Jenkins / Jenkins		Bitbucket OAuth Plugin <0.18
Jenkins Jenkins AppSpider Plugin <1.0.18 Jenkins / Jenkins		AppSpider Plugin <1.0.18
Jenkins Jenkins Active Directory Plugin <2.41.1 Jenkins / Jenkins		Active Directory Plugin <2.41.1
Jenkins Jenkins Pipeline: Groovy Libraries Plugin <798.v5cc688825312 Jenkins / Jenkins		Pipeline: Groovy Libraries Plugin <798.v5cc688825312
Jenkins Jenkins Multijob Plugin <669.v9d96a_d9c71b_0 Jenkins / Jenkins		Multijob Plugin <669.v9d96a_d9c71b_0
Jenkins Jenkins LDAP Plugin <807.809.vd3a_4e5e4ec98 Jenkins / Jenkins		LDAP Plugin <807.809.vd3a_4e5e4ec98
Jenkins Jenkins Job Import Plugin <143.145.v48f9a_a_6ff384 Jenkins / Jenkins		Job Import Plugin <143.145.v48f9a_a_6ff384

CVE-2026-48926

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
Jenkins Jenkins GitHub Integration Plugin <0.7.4 Jenkins / Jenkins		GitHub Integration Plugin <0.7.4
Jenkins Jenkins Email Extension Plugin <1933.1935.v276319e3cc47 Jenkins / Jenkins		Email Extension Plugin <1933.1935.v276319e3cc47
Jenkins Jenkins Credentials Binding Plugin <725.ve52b_2328a_fde Jenkins / Jenkins		Credentials Binding Plugin <725.ve52b_2328a_fde
Jenkins Jenkins Bitbucket OAuth Plugin <0.18 Jenkins / Jenkins		Bitbucket OAuth Plugin <0.18
Jenkins Jenkins AppSpider Plugin <1.0.18 Jenkins / Jenkins		AppSpider Plugin <1.0.18
Jenkins Jenkins Active Directory Plugin <2.41.1 Jenkins / Jenkins		Active Directory Plugin <2.41.1
Jenkins Jenkins Pipeline: Groovy Libraries Plugin <798.v5cc688825312 Jenkins / Jenkins		Pipeline: Groovy Libraries Plugin <798.v5cc688825312
Jenkins Jenkins Multijob Plugin <669.v9d96a_d9c71b_0 Jenkins / Jenkins		Multijob Plugin <669.v9d96a_d9c71b_0
Jenkins Jenkins LDAP Plugin <807.809.vd3a_4e5e4ec98 Jenkins / Jenkins		LDAP Plugin <807.809.vd3a_4e5e4ec98
Jenkins Jenkins Job Import Plugin <143.145.v48f9a_a_6ff384 Jenkins / Jenkins		Job Import Plugin <143.145.v48f9a_a_6ff384

CVE-2026-48927

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
Jenkins Jenkins GitHub Integration Plugin <0.7.4 Jenkins / Jenkins		GitHub Integration Plugin <0.7.4
Jenkins Jenkins Email Extension Plugin <1933.1935.v276319e3cc47 Jenkins / Jenkins		Email Extension Plugin <1933.1935.v276319e3cc47
Jenkins Jenkins Credentials Binding Plugin <725.ve52b_2328a_fde Jenkins / Jenkins		Credentials Binding Plugin <725.ve52b_2328a_fde
Jenkins Jenkins Bitbucket OAuth Plugin <0.18 Jenkins / Jenkins		Bitbucket OAuth Plugin <0.18
Jenkins Jenkins AppSpider Plugin <1.0.18 Jenkins / Jenkins		AppSpider Plugin <1.0.18
Jenkins Jenkins Active Directory Plugin <2.41.1 Jenkins / Jenkins		Active Directory Plugin <2.41.1
Jenkins Jenkins Pipeline: Groovy Libraries Plugin <798.v5cc688825312 Jenkins / Jenkins		Pipeline: Groovy Libraries Plugin <798.v5cc688825312
Jenkins Jenkins Multijob Plugin <669.v9d96a_d9c71b_0 Jenkins / Jenkins		Multijob Plugin <669.v9d96a_d9c71b_0
Jenkins Jenkins LDAP Plugin <807.809.vd3a_4e5e4ec98 Jenkins / Jenkins		LDAP Plugin <807.809.vd3a_4e5e4ec98
Jenkins Jenkins Job Import Plugin <143.145.v48f9a_a_6ff384 Jenkins / Jenkins		Job Import Plugin <143.145.v48f9a_a_6ff384

CVE-2026-9674

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
Jenkins Jenkins GitHub Integration Plugin <0.7.4 Jenkins / Jenkins		GitHub Integration Plugin <0.7.4
Jenkins Jenkins Email Extension Plugin <1933.1935.v276319e3cc47 Jenkins / Jenkins		Email Extension Plugin <1933.1935.v276319e3cc47
Jenkins Jenkins Credentials Binding Plugin <725.ve52b_2328a_fde Jenkins / Jenkins		Credentials Binding Plugin <725.ve52b_2328a_fde
Jenkins Jenkins Bitbucket OAuth Plugin <0.18 Jenkins / Jenkins		Bitbucket OAuth Plugin <0.18
Jenkins Jenkins AppSpider Plugin <1.0.18 Jenkins / Jenkins		AppSpider Plugin <1.0.18
Jenkins Jenkins Active Directory Plugin <2.41.1 Jenkins / Jenkins		Active Directory Plugin <2.41.1
Jenkins Jenkins Pipeline: Groovy Libraries Plugin <798.v5cc688825312 Jenkins / Jenkins		Pipeline: Groovy Libraries Plugin <798.v5cc688825312
Jenkins Jenkins Multijob Plugin <669.v9d96a_d9c71b_0 Jenkins / Jenkins		Multijob Plugin <669.v9d96a_d9c71b_0
Jenkins Jenkins LDAP Plugin <807.809.vd3a_4e5e4ec98 Jenkins / Jenkins		LDAP Plugin <807.809.vd3a_4e5e4ec98
Jenkins Jenkins Job Import Plugin <143.145.v48f9a_a_6ff384 Jenkins / Jenkins		Job Import Plugin <143.145.v48f9a_a_6ff384

References

3 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.jenkins.io/security/advisory/2026-05-27/	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Jenkins ist ein erweiterbarer, webbasierter Integration Server zur kontinuierlichen Unterst\u00fctzung bei Softwareentwicklungen aller Art.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Jenkins Plugins ausnutzen, um Informationen offenzulegen, um Dateien zu manipulieren, um einen Cross-Site Scripting Angriff durchzuf\u00fchren, um beliebigen Programmcode auszuf\u00fchren, und um Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1707 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1707.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1707 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1707"
      },
      {
        "category": "external",
        "summary": "Jenkins Security Advisory 2026-05-27 vom 2026-05-27",
        "url": "https://www.jenkins.io/security/advisory/2026-05-27/"
      }
    ],
    "source_lang": "en-US",
    "title": "Jenkins Plugins: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-27T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-28T10:05:38.479+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1707",
      "initial_release_date": "2026-05-27T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-27T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Active Directory Plugin \u003c2.41.1",
                "product": {
                  "name": "Jenkins Jenkins Active Directory Plugin \u003c2.41.1",
                  "product_id": "T054789"
                }
              },
              {
                "category": "product_version",
                "name": "Active Directory Plugin 2.41.1",
                "product": {
                  "name": "Jenkins Jenkins Active Directory Plugin 2.41.1",
                  "product_id": "T054789-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:active_directory_plugin__2.41.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "AppSpider Plugin \u003c1.0.18",
                "product": {
                  "name": "Jenkins Jenkins AppSpider Plugin \u003c1.0.18",
                  "product_id": "T054790"
                }
              },
              {
                "category": "product_version",
                "name": "AppSpider Plugin 1.0.18",
                "product": {
                  "name": "Jenkins Jenkins AppSpider Plugin 1.0.18",
                  "product_id": "T054790-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:appspider_plugin__1.0.18"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Bitbucket OAuth Plugin \u003c0.18",
                "product": {
                  "name": "Jenkins Jenkins Bitbucket OAuth Plugin \u003c0.18",
                  "product_id": "T054791"
                }
              },
              {
                "category": "product_version",
                "name": "Bitbucket OAuth Plugin 0.18",
                "product": {
                  "name": "Jenkins Jenkins Bitbucket OAuth Plugin 0.18",
                  "product_id": "T054791-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:bitbucket_oauth_plugin__0.18"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Credentials Binding Plugin \u003c725.ve52b_2328a_fde",
                "product": {
                  "name": "Jenkins Jenkins Credentials Binding Plugin \u003c725.ve52b_2328a_fde",
                  "product_id": "T054792"
                }
              },
              {
                "category": "product_version",
                "name": "Credentials Binding Plugin 725.ve52b_2328a_fde",
                "product": {
                  "name": "Jenkins Jenkins Credentials Binding Plugin 725.ve52b_2328a_fde",
                  "product_id": "T054792-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:credentials_binding_plugin__725.ve52b_2328a_fde"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Email Extension Plugin \u003c1933.1935.v276319e3cc47",
                "product": {
                  "name": "Jenkins Jenkins Email Extension Plugin \u003c1933.1935.v276319e3cc47",
                  "product_id": "T054793"
                }
              },
              {
                "category": "product_version",
                "name": "Email Extension Plugin 1933.1935.v276319e3cc47",
                "product": {
                  "name": "Jenkins Jenkins Email Extension Plugin 1933.1935.v276319e3cc47",
                  "product_id": "T054793-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:email_extension_plugin__1933.1935.v276319e3cc47"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "GitHub Integration Plugin \u003c0.7.4",
                "product": {
                  "name": "Jenkins Jenkins GitHub Integration Plugin \u003c0.7.4",
                  "product_id": "T054794"
                }
              },
              {
                "category": "product_version",
                "name": "GitHub Integration Plugin 0.7.4",
                "product": {
                  "name": "Jenkins Jenkins GitHub Integration Plugin 0.7.4",
                  "product_id": "T054794-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:github_integration_plugin__0.7.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Job Import Plugin \u003c143.145.v48f9a_a_6ff384",
                "product": {
                  "name": "Jenkins Jenkins Job Import Plugin \u003c143.145.v48f9a_a_6ff384",
                  "product_id": "T054795"
                }
              },
              {
                "category": "product_version",
                "name": "Job Import Plugin 143.145.v48f9a_a_6ff384",
                "product": {
                  "name": "Jenkins Jenkins Job Import Plugin 143.145.v48f9a_a_6ff384",
                  "product_id": "T054795-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:job_import_plugin__143.145.v48f9a_a_6ff384"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "LDAP Plugin \u003c807.809.vd3a_4e5e4ec98",
                "product": {
                  "name": "Jenkins Jenkins LDAP Plugin \u003c807.809.vd3a_4e5e4ec98",
                  "product_id": "T054796"
                }
              },
              {
                "category": "product_version",
                "name": "LDAP Plugin 807.809.vd3a_4e5e4ec98",
                "product": {
                  "name": "Jenkins Jenkins LDAP Plugin 807.809.vd3a_4e5e4ec98",
                  "product_id": "T054796-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:ldap_plugin__807.809.vd3a_4e5e4ec98"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Multijob Plugin \u003c669.v9d96a_d9c71b_0",
                "product": {
                  "name": "Jenkins Jenkins Multijob Plugin \u003c669.v9d96a_d9c71b_0",
                  "product_id": "T054797"
                }
              },
              {
                "category": "product_version",
                "name": "Multijob Plugin 669.v9d96a_d9c71b_0",
                "product": {
                  "name": "Jenkins Jenkins Multijob Plugin 669.v9d96a_d9c71b_0",
                  "product_id": "T054797-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:multijob_plugin__669.v9d96a_d9c71b_0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Pipeline: Groovy Libraries Plugin \u003c798.v5cc688825312",
                "product": {
                  "name": "Jenkins Jenkins Pipeline: Groovy Libraries Plugin \u003c798.v5cc688825312",
                  "product_id": "T054798"
                }
              },
              {
                "category": "product_version",
                "name": "Pipeline: Groovy Libraries Plugin 798.v5cc688825312",
                "product": {
                  "name": "Jenkins Jenkins Pipeline: Groovy Libraries Plugin 798.v5cc688825312",
                  "product_id": "T054798-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:pipeline_groovy_libraries_plugin__798.v5cc688825312"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Jenkins"
          }
        ],
        "category": "vendor",
        "name": "Jenkins"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-48916",
      "product_status": {
        "known_affected": [
          "T054794",
          "T054793",
          "T054792",
          "T054791",
          "T054790",
          "T054789",
          "T054798",
          "T054797",
          "T054796",
          "T054795"
        ]
      },
      "release_date": "2026-05-27T22:00:00.000+00:00",
      "title": "CVE-2026-48916"
    },
    {
      "cve": "CVE-2026-48917",
      "product_status": {
        "known_affected": [
          "T054794",
          "T054793",
          "T054792",
          "T054791",
          "T054790",
          "T054789",
          "T054798",
          "T054797",
          "T054796",
          "T054795"
        ]
      },
      "release_date": "2026-05-27T22:00:00.000+00:00",
      "title": "CVE-2026-48917"
    },
    {
      "cve": "CVE-2026-48918",
      "product_status": {
        "known_affected": [
          "T054794",
          "T054793",
          "T054792",
          "T054791",
          "T054790",
          "T054789",
          "T054798",
          "T054797",
          "T054796",
          "T054795"
        ]
      },
      "release_date": "2026-05-27T22:00:00.000+00:00",
      "title": "CVE-2026-48918"
    },
    {
      "cve": "CVE-2026-48919",
      "product_status": {
        "known_affected": [
          "T054794",
          "T054793",
          "T054792",
          "T054791",
          "T054790",
          "T054789",
          "T054798",
          "T054797",
          "T054796",
          "T054795"
        ]
      },
      "release_date": "2026-05-27T22:00:00.000+00:00",
      "title": "CVE-2026-48919"
    },
    {
      "cve": "CVE-2026-48920",
      "product_status": {
        "known_affected": [
          "T054794",
          "T054793",
          "T054792",
          "T054791",
          "T054790",
          "T054789",
          "T054798",
          "T054797",
          "T054796",
          "T054795"
        ]
      },
      "release_date": "2026-05-27T22:00:00.000+00:00",
      "title": "CVE-2026-48920"
    },
    {
      "cve": "CVE-2026-48921",
      "product_status": {
        "known_affected": [
          "T054794",
          "T054793",
          "T054792",
          "T054791",
          "T054790",
          "T054789",
          "T054798",
          "T054797",
          "T054796",
          "T054795"
        ]
      },
      "release_date": "2026-05-27T22:00:00.000+00:00",
      "title": "CVE-2026-48921"
    },
    {
      "cve": "CVE-2026-48922",
      "product_status": {
        "known_affected": [
          "T054794",
          "T054793",
          "T054792",
          "T054791",
          "T054790",
          "T054789",
          "T054798",
          "T054797",
          "T054796",
          "T054795"
        ]
      },
      "release_date": "2026-05-27T22:00:00.000+00:00",
      "title": "CVE-2026-48922"
    },
    {
      "cve": "CVE-2026-48923",
      "product_status": {
        "known_affected": [
          "T054794",
          "T054793",
          "T054792",
          "T054791",
          "T054790",
          "T054789",
          "T054798",
          "T054797",
          "T054796",
          "T054795"
        ]
      },
      "release_date": "2026-05-27T22:00:00.000+00:00",
      "title": "CVE-2026-48923"
    },
    {
      "cve": "CVE-2026-48924",
      "product_status": {
        "known_affected": [
          "T054794",
          "T054793",
          "T054792",
          "T054791",
          "T054790",
          "T054789",
          "T054798",
          "T054797",
          "T054796",
          "T054795"
        ]
      },
      "release_date": "2026-05-27T22:00:00.000+00:00",
      "title": "CVE-2026-48924"
    },
    {
      "cve": "CVE-2026-48925",
      "product_status": {
        "known_affected": [
          "T054794",
          "T054793",
          "T054792",
          "T054791",
          "T054790",
          "T054789",
          "T054798",
          "T054797",
          "T054796",
          "T054795"
        ]
      },
      "release_date": "2026-05-27T22:00:00.000+00:00",
      "title": "CVE-2026-48925"
    },
    {
      "cve": "CVE-2026-48926",
      "product_status": {
        "known_affected": [
          "T054794",
          "T054793",
          "T054792",
          "T054791",
          "T054790",
          "T054789",
          "T054798",
          "T054797",
          "T054796",
          "T054795"
        ]
      },
      "release_date": "2026-05-27T22:00:00.000+00:00",
      "title": "CVE-2026-48926"
    },
    {
      "cve": "CVE-2026-48927",
      "product_status": {
        "known_affected": [
          "T054794",
          "T054793",
          "T054792",
          "T054791",
          "T054790",
          "T054789",
          "T054798",
          "T054797",
          "T054796",
          "T054795"
        ]
      },
      "release_date": "2026-05-27T22:00:00.000+00:00",
      "title": "CVE-2026-48927"
    },
    {
      "cve": "CVE-2026-9674",
      "product_status": {
        "known_affected": [
          "T054794",
          "T054793",
          "T054792",
          "T054791",
          "T054790",
          "T054789",
          "T054798",
          "T054797",
          "T054796",
          "T054795"
        ]
      },
      "release_date": "2026-05-27T22:00:00.000+00:00",
      "title": "CVE-2026-9674"
    }
  ]
}

CVE-2026-48916 (GCVE-0-2026-48916)

Vulnerability from cvelistv5 – Published: 2026-05-27 14:13 – Updated: 2026-05-27 15:51

Summary

Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals.

Severity

6.6 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

jenkins

References

1 reference

URL	Tags
https://www.jenkins.io/security/advisory/2026-05-…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Jenkins Project	Jenkins LDAP Plugin	Affected: 0 , ≤ 807.v7d7de30930cf (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.6,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48916",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T15:51:03.061924Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-918",
                "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T15:51:05.829Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jenkins LDAP Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "807.v7d7de30930cf",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T14:13:45.516Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-05-27",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3654"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-48916",
    "datePublished": "2026-05-27T14:13:45.516Z",
    "dateReserved": "2026-05-26T14:50:46.812Z",
    "dateUpdated": "2026-05-27T15:51:05.829Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48917 (GCVE-0-2026-48917)

Vulnerability from cvelistv5 – Published: 2026-05-27 14:13 – Updated: 2026-05-27 17:04

Summary

Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation.

Severity

6.6 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

jenkins

References

1 reference

URL	Tags
https://www.jenkins.io/security/advisory/2026-05-…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Jenkins Project	Jenkins LDAP Plugin	Affected: 0 , ≤ 807.v7d7de30930cf (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.6,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48917",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T17:04:09.359441Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-502",
                "description": "CWE-502 Deserialization of Untrusted Data",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T17:04:29.371Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jenkins LDAP Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "807.v7d7de30930cf",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T14:13:46.363Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-05-27",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3654"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-48917",
    "datePublished": "2026-05-27T14:13:46.363Z",
    "dateReserved": "2026-05-26T14:50:46.812Z",
    "dateUpdated": "2026-05-27T17:04:29.371Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48918 (GCVE-0-2026-48918)

Vulnerability from cvelistv5 – Published: 2026-05-27 14:13 – Updated: 2026-05-27 15:48

Summary

Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals by default.

Severity

6.6 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

jenkins

References

1 reference

URL	Tags
https://www.jenkins.io/security/advisory/2026-05-…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Jenkins Project	Jenkins Active Directory Plugin	Affected: 0 , ≤ 2.41 (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.6,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48918",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T15:48:30.569531Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-918",
                "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T15:48:34.628Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jenkins Active Directory Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "2.41",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals by default."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T14:13:47.113Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-05-27",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3659"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-48918",
    "datePublished": "2026-05-27T14:13:47.113Z",
    "dateReserved": "2026-05-26T14:50:46.812Z",
    "dateUpdated": "2026-05-27T15:48:34.628Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48919 (GCVE-0-2026-48919)

Vulnerability from cvelistv5 – Published: 2026-05-27 14:13 – Updated: 2026-05-27 15:47

Summary

Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation.

Severity

6.6 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

jenkins

References

1 reference

URL	Tags
https://www.jenkins.io/security/advisory/2026-05-…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Jenkins Project	Jenkins Active Directory Plugin	Affected: 0 , ≤ 2.41 (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.6,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48919",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T15:47:33.265732Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-502",
                "description": "CWE-502 Deserialization of Untrusted Data",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T15:47:35.773Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jenkins Active Directory Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "2.41",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T14:13:47.832Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-05-27",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3659"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-48919",
    "datePublished": "2026-05-27T14:13:47.832Z",
    "dateReserved": "2026-05-26T14:50:46.812Z",
    "dateUpdated": "2026-05-27T15:47:35.773Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48920 (GCVE-0-2026-48920)

Vulnerability from cvelistv5 – Published: 2026-05-27 14:13 – Updated: 2026-05-27 15:43

Summary

Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute, without restrictions on the image URLs that can be inlined, allowing attackers able to control the email content to specify `file:` URLs for images to read arbitrary files from the Jenkins controller filesystem.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-73 - External Control of File Name or Path

Assigner

jenkins

References

1 reference

URL	Tags
https://www.jenkins.io/security/advisory/2026-05-…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Jenkins Project	Jenkins Email Extension Plugin	Affected: 0 , ≤ 1933.v45cec755423f (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48920",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T15:43:03.856495Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-73",
                "description": "CWE-73 External Control of File Name or Path",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T15:43:07.808Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jenkins Email Extension Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "1933.v45cec755423f",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute, without restrictions on the image URLs that can be inlined, allowing attackers able to control the email content to specify `file:` URLs for images to read arbitrary files from the Jenkins controller filesystem."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T14:13:48.568Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-05-27",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3705"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-48920",
    "datePublished": "2026-05-27T14:13:48.568Z",
    "dateReserved": "2026-05-26T14:50:46.813Z",
    "dateUpdated": "2026-05-27T15:43:07.808Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48921 (GCVE-0-2026-48921)

Vulnerability from cvelistv5 – Published: 2026-05-27 14:13 – Updated: 2026-05-27 18:35

Summary

Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-59 - Improper Link Resolution Before File Access ('Link Following')

Assigner

jenkins

References

1 reference

URL	Tags
https://www.jenkins.io/security/advisory/2026-05-…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Jenkins Project	Jenkins Pipeline: Groovy Libraries Plugin	Affected: 0 , ≤ 797.v90ea_a_9b_e45a_0 (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48921",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T15:38:58.994406Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-59",
                "description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T18:35:27.630Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jenkins Pipeline: Groovy Libraries Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "797.v90ea_a_9b_e45a_0",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T14:13:49.193Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-05-27",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3727"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-48921",
    "datePublished": "2026-05-27T14:13:49.193Z",
    "dateReserved": "2026-05-26T14:50:46.813Z",
    "dateUpdated": "2026-05-27T18:35:27.630Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48922 (GCVE-0-2026-48922)

Vulnerability from cvelistv5 – Published: 2026-05-27 14:13 – Updated: 2026-05-27 18:35

Summary

Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-20 - Improper Input Validation

Assigner

jenkins

References

1 reference

URL	Tags
https://www.jenkins.io/security/advisory/2026-05-…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Jenkins Project	Jenkins Credentials Binding Plugin	Affected: 0 , ≤ 720.v3f6decef43ea_ (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48922",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T15:34:32.558227Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-20",
                "description": "CWE-20 Improper Input Validation",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T18:35:18.817Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jenkins Credentials Binding Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "720.v3f6decef43ea_",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T14:13:49.848Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-05-27",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3790"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-48922",
    "datePublished": "2026-05-27T14:13:49.848Z",
    "dateReserved": "2026-05-26T14:50:46.813Z",
    "dateUpdated": "2026-05-27T18:35:18.817Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48923 (GCVE-0-2026-48923)

Vulnerability from cvelistv5 – Published: 2026-05-27 14:13 – Updated: 2026-05-27 15:23

Summary

Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL.

Severity

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-269 - Improper Privilege Management

Assigner

jenkins

References

1 reference

URL	Tags
https://www.jenkins.io/security/advisory/2026-05-…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Jenkins Project	Jenkins AppSpider Plugin	Affected: 0 , ≤ 1.0.17 (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48923",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T15:23:34.714323Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-269",
                "description": "CWE-269 Improper Privilege Management",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T15:23:37.921Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jenkins AppSpider Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "1.0.17",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T14:13:50.565Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-05-27",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3671"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-48923",
    "datePublished": "2026-05-27T14:13:50.565Z",
    "dateReserved": "2026-05-26T14:50:46.813Z",
    "dateUpdated": "2026-05-27T15:23:37.921Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48924 (GCVE-0-2026-48924)

Vulnerability from cvelistv5 – Published: 2026-05-27 14:13 – Updated: 2026-05-27 15:22

Summary

Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks.

Severity

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Assigner

jenkins

References

1 reference

URL	Tags
https://www.jenkins.io/security/advisory/2026-05-…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Jenkins Project	Jenkins Bitbucket OAuth Plugin	Affected: 0 , ≤ 0.17 (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48924",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T15:22:48.158323Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-601",
                "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T15:22:52.693Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jenkins Bitbucket OAuth Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "0.17",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T14:13:51.304Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-05-27",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3761"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-48924",
    "datePublished": "2026-05-27T14:13:51.304Z",
    "dateReserved": "2026-05-26T14:50:46.813Z",
    "dateUpdated": "2026-05-27T15:22:52.693Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48925 (GCVE-0-2026-48925)

Vulnerability from cvelistv5 – Published: 2026-05-27 14:13 – Updated: 2026-05-27 15:22

Summary

A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows attackers to attackers to trigger a build for a pull request.

Severity

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Assigner

jenkins

References

1 reference

URL	Tags
https://www.jenkins.io/security/advisory/2026-05-…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Jenkins Project	Jenkins GitHub Integration Plugin	Affected: 0 , ≤ 0.7.3 (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48925",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T15:22:12.198502Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-352",
                "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T15:22:16.078Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Jenkins GitHub Integration Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "0.7.3",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows attackers to attackers to trigger a build for a pull request."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T14:13:51.969Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-05-27",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3776"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-48925",
    "datePublished": "2026-05-27T14:13:51.969Z",
    "dateReserved": "2026-05-26T14:50:46.813Z",
    "dateUpdated": "2026-05-27T15:22:16.078Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1707

CVE-2026-48916 (GCVE-0-2026-48916)

CVE-2026-48917 (GCVE-0-2026-48917)

CVE-2026-48918 (GCVE-0-2026-48918)

CVE-2026-48919 (GCVE-0-2026-48919)

CVE-2026-48920 (GCVE-0-2026-48920)

CVE-2026-48921 (GCVE-0-2026-48921)

CVE-2026-48922 (GCVE-0-2026-48922)

CVE-2026-48923 (GCVE-0-2026-48923)

CVE-2026-48924 (GCVE-0-2026-48924)

CVE-2026-48925 (GCVE-0-2026-48925)

Tags

Sightings

Nomenclature