Vulnerabilities in Jenkins Project

1,522 results
Vexday analysis

O Jenkins Project acumula 458 CVEs catalogadas, com 56 novas ocorrências nos últimos 90 dias, sinalizando um ritmo contínuo de descobertas que exige monitoramento constante. A taxa de exploração ativa está abaixo da média geral do catálogo, com apenas 1 CVE confirmada no CISA KEV, porém essa única entrada — CVE-2024-23897 — apresenta EPSS máximo de 1.0, indicando probabilidade extremamente alta de exploração ativa e tornando sua remediação imediata uma prioridade absoluta. O tipo de falha mais frequente é CWE-352 (Cross-Site Request Forgery), o que sugere fragilidades persistentes nos mecanismos de controle de requisições da plataforma, especialmente relevantes em ambientes expostos à internet. Com 20 CVEs de severidade crítica e 3 com PoC pública disponível, a superfície de ataque real merece atenção proporcional, independentemente da taxa de exploração relativamente contida.

CVE-2026-42524HIGHJenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site EPSS 0.3%CVE-2023-40351A cross-site request forgery (CSRF) vulnerability in Jenkins Favorite View Plugin 5.v77a_37f62782d and earlier allows attackers to add or reEPSS 0.3%CVE-2026-57284MEDIUMJenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline SniEPSS 0.3%CVE-2025-30196MEDIUMJenkins AnchorChain Plugin 1.0 does not limit URL schemes for links it creates based on workspace content, allowing the `javascript:` schemeEPSS 0.3%CVE-2020-2154Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier stores its credentials in plain text in a global configuration file on the JeEPSS 0.3%CVE-2023-41946A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal TesEPSS 0.3%CVE-2026-48917MEDIUMJenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation.EPSS 0.3%CVE-2026-48919MEDIUMJenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation.EPSS 0.3%CVE-2019-10453Jenkins Delphix Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by useEPSS 0.3%CVE-2025-64137MEDIUMA missing permission check in Jenkins Themis Plugin 1.4.1 and earlier allows attackers with Overall/Read permission to connect to an attackeEPSS 0.3%CVE-2023-4302MEDIUMMissing permission checks in Fortify Plugin allow capturing credentialsEPSS 0.3%CVE-2025-31728MEDIUMJenkins AsakusaSatellite Plugin 0.1.1 and earlier does not mask AsakusaSatellite API keys displayed on the job configuration form, increasinEPSS 0.3%CVE-2025-31726MEDIUMJenkins Stack Hammer Plugin 1.0.6 and earlier stores Stack Hammer API keys unencrypted in job config.xml files on the Jenkins controller wheEPSS 0.3%CVE-2025-31727MEDIUMJenkins AsakusaSatellite Plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controEPSS 0.3%CVE-2025-31725MEDIUMJenkins monitor-remote-job Plugin 1.0 stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be vieweEPSS 0.3%CVE-2025-53665MEDIUMJenkins Apica Loadtest Plugin 1.10 and earlier does not mask Apica Loadtest LTP authentication tokens displayed on the job configuration forEPSS 0.3%CVE-2022-45386MEDIUMJenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.EPSS 0.3%CVE-2025-53667MEDIUMJenkins Dead Man's Snitch Plugin 0.1 does not mask Dead Man's Snitch tokens displayed on the job configuration form, increasing the potentiaEPSS 0.3%CVE-2026-53441Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of EPSS 0.3%CVE-2025-30197LOWJenkins Zoho QEngine Plugin 1.0.29.vfa_cc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attEPSS 0.3%