Jenkins Fixes High-Severity Plugin Flaws: Patches Including

A security advisory published by the Jenkins project details patches addressing seven plugin vulnerabilities, notably including high-severity path traversal and Stored Cross-Site Scripting (XSS) flaws.

Administrators must urgently update these plugins to secure their Continuous Integration and Continuous Deployment (CI/CD) pipelines against potential remote code execution and session hijacking risks.

The most critical issue is a path traversal vulnerability in the Credentials Binding Plugin, officially tracked as CVE-2026-42520. Versions 719.v80e905ef14eb_ and earlier fail to adequately sanitize file and zip file credentials.

If a Jenkins environment is configured to allow a low-privileged user to configure these credentials for a job running on a built-in node, threat actors can weaponize this oversight.

They can write malicious files to arbitrary locations on the underlying node filesystem, ultimately establishing persistence or achieving remote code execution.

Additionally, two High-severity Stored XSS vulnerabilities threaten Jenkins interfaces. CVE-2026-42523 affects the GitHub Plugin versions 1.46.0 and earlier.

The plugin improperly processes the current job URL during validation for the “GitHub hook trigger for GITScm polling” mechanism.

This flaw allows non-anonymous attackers with minimal Overall/Read permissions to inject malicious JavaScript into the application.

Similarly, CVE-2026-42524 impacts the HTML Publisher Plugin versions 427 and earlier.

The plugin fails to escape job names and URLs in its legacy wrapper file, enabling attackers with Item/Configure permission to execute devastating XSS attacks against administrators viewing the reports.

Medium-Severity Vulnerabilities

The advisory also highlights four Medium-severity vulnerabilities requiring immediate remediation.

The Script Security Plugin (CVE-2026-42519) lacks proper HTTP endpoint permission checks, allowing users with simple Overall/Read access to enumerate pending and approved classpaths seamlessly.

The Matrix Authorization Strategy Plugin (CVE-2026-42521) suffers from unsafe deserialization when processing inheritance strategies, enabling attackers to instantiate arbitrary types.

Furthermore, the GitHub Branch Source Plugin (CVE-2026-42522) permits unauthorized connection tests using attacker-specified credentials.

The Microsoft Entra ID Plugin (CVE-2026-42525) contains an open redirect vulnerability that could facilitate credential-harvesting phishing campaigns.

All flaws were reported proactively through the Jenkins Bug Bounty Program, sponsored by the European Commission.

As highlighted in the Jenkins Project security advisory, teams should immediately apply the latest patches to secure development infrastructure.

Enforcing Content Security Policy (CSP) protection on Jenkins LTS 2.541.1 and newer offers an additional layer of defense against XSS exploitation while patches are being deployed.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.