Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/CyberSecurity News/Jenkins Patches High-Severity Plugin Flaws, Including Path Traversal
CyberSecurity News

Jenkins Patches High-Severity Plugin Flaws, Including Path Traversal

Key Takeaways Jenkins has released critical security patches for seven vulnerabilities across multiple plugins. High-severity flaws include a path traversal vulnerability (CVE-2026-42520) in the...

Sarah simpson
Sarah simpson
April 30, 2026 3 Min Read
45 0

Key Takeaways

  • Jenkins has released critical security patches for seven vulnerabilities across multiple plugins.
  • High-severity flaws include a path traversal vulnerability (CVE-2026-42520) in the Credentials Binding Plugin and Stored Cross-Site Scripting (XSS) issues (CVE-2026-42523, CVE-2026-42524) in the GitHub and HTML Publisher Plugins.
  • These vulnerabilities pose risks ranging from remote code execution and session hijacking to credential harvesting.
  • Immediate updates to affected plugins are strongly advised for all Jenkins administrators to secure CI/CD pipelines.

The Jenkins project has issued a security advisory detailing urgent patches for seven vulnerabilities impacting several of its plugins. These security defects include high-severity path traversal and Stored Cross-Site Scripting (XSS) flaws, underscoring the critical need for administrators to update their Continuous Integration and Continuous Deployment (CI/CD) environments promptly.

Table Of Content

  • Key Takeaways
  • High-Severity Vulnerabilities Demand Immediate Attention
  • Medium-Severity Vulnerabilities Also Patched
  • What You Should Do

Failure to apply these patches could expose Jenkins pipelines to significant risks, including potential remote code execution and session hijacking by malicious actors.

High-Severity Vulnerabilities Demand Immediate Attention

The most pressing concern is a path traversal vulnerability, identified as CVE-2026-42520, found within the Credentials Binding Plugin. This flaw affects versions 719.v80e905ef14eb_ and earlier, where the plugin inadequately sanitizes file and zip file credentials. In scenarios where a Jenkins setup permits a low-privileged user to configure such credentials for a job executing on a built-in node, attackers could exploit this weakness.

Exploitation of CVE-2026-42520 allows threat actors to write arbitrary malicious files to any location on the underlying node’s filesystem. This capability could lead to the establishment of persistent access or, critically, remote code execution on the compromised system.

Beyond the path traversal issue, two high-severity Stored XSS vulnerabilities have been identified, threatening the integrity of Jenkins interfaces:

  • CVE-2026-42523: This vulnerability impacts the GitHub Plugin, specifically versions 1.46.0 and earlier. The plugin’s validation process for the “GitHub hook trigger for GITScm polling” mechanism improperly handles the current job URL. This oversight enables non-anonymous attackers with minimal Overall/Read permissions to inject malicious JavaScript into the application, potentially leading to session hijacking or data exfiltration.
  • CVE-2026-42524: Affecting the HTML Publisher Plugin in versions 427 and earlier, this flaw stems from the plugin’s failure to properly escape job names and URLs within its legacy wrapper file. Attackers possessing Item/Configure permissions can leverage this vulnerability to execute devastating XSS attacks, targeting administrators who view the generated reports.

Medium-Severity Vulnerabilities Also Patched

The advisory also highlights four medium-severity vulnerabilities that require prompt remediation:

  • CVE-2026-42519: The Script Security Plugin was found to lack proper permission checks for its HTTP endpoints. This allows users with basic Overall/Read access to enumerate pending and approved classpaths without authorization.
  • CVE-2026-42521: The Matrix Authorization Strategy Plugin is susceptible to unsafe deserialization when processing inheritance strategies. This flaw could enable attackers to instantiate arbitrary types, potentially leading to further compromise.
  • CVE-2026-42522: The GitHub Branch Source Plugin permits unauthorized connection tests using credentials specified by an attacker, which could be abused for reconnaissance or credential verification.
  • CVE-2026-42525: An open redirect vulnerability exists in the Microsoft Entra ID Plugin. This could be exploited in phishing campaigns to harvest credentials by redirecting users to malicious sites.

All identified flaws were proactively reported through the Jenkins Bug Bounty Program, an initiative sponsored by the European Commission.

As detailed in the Jenkins Project security advisory, development teams are urged to apply the latest patches immediately to fortify their infrastructure. For additional defense against XSS exploitation while patches are being deployed, enforcing Content Security Policy (CSP) protection on Jenkins LTS 2.541.1 and newer versions is recommended.

What You Should Do

  • Update Plugins Immediately: Prioritize updating all affected Jenkins plugins to their latest versions as outlined in the security advisory.
  • Review Permissions: Audit and restrict permissions for low-privileged users, especially concerning the configuration of credentials and job items.
  • Implement CSP: For Jenkins LTS 2.541.1 and newer, enforce Content Security Policy (CSP) protection as an additional layer against XSS vulnerabilities.
  • Monitor Logs: Regularly monitor Jenkins access logs and system logs for unusual activity, especially related to file system writes or unauthorized access attempts.
  • Stay Informed: Subscribe to Jenkins security advisories to remain aware of ongoing threats and recommended mitigation strategies.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchphishingSecurityThreatVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical WordPress Plugin Bug Lets Attackers Inject Malicious Code

Next Post

Critical Google Gemini CLI Vulnerabilities Let Attackers Run Commands

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us