CloudBees Jenkins

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in CloudBees Jenkins.

EOL Dates

Ensure that you are using a supported version of CloudBees Jenkins. Here are some end of life, and end of support dates for CloudBees Jenkins.

Release	EOL Date	Status
2.541	-	Active
2.528	January 21, 2026	EOL CloudBees Jenkins 2.528 became EOL in 2026.
2.516	October 15, 2025	EOL CloudBees Jenkins 2.516 became EOL in 2025.
2.504	July 23, 2025	EOL CloudBees Jenkins 2.504 became EOL in 2025.
2.492	April 30, 2025	EOL CloudBees Jenkins 2.492 became EOL in 2025.
2.479	February 5, 2025	EOL CloudBees Jenkins 2.479 became EOL in 2025.
2.462	October 2, 2024	EOL CloudBees Jenkins 2.462 became EOL in 2024.
2.452	August 7, 2024	EOL CloudBees Jenkins 2.452 became EOL in 2024.
2.440	May 15, 2024	EOL CloudBees Jenkins 2.440 became EOL in 2024.
2.426	February 21, 2024	EOL CloudBees Jenkins 2.426 became EOL in 2024.
2.414	November 15, 2023	EOL CloudBees Jenkins 2.414 became EOL in 2023.
2.401	August 23, 2023	EOL CloudBees Jenkins 2.401 became EOL in 2023.
2.387	May 31, 2023	EOL CloudBees Jenkins 2.387 became EOL in 2023.
2.375	March 8, 2023	EOL CloudBees Jenkins 2.375 became EOL in 2023.
2.361	November 30, 2022	EOL CloudBees Jenkins 2.361 became EOL in 2022.
2.346	September 7, 2022	EOL CloudBees Jenkins 2.346 became EOL in 2022.
2	-	Active

By the Year

In 2026 there have been 0 vulnerabilities in CloudBees Jenkins. Last year, in 2025 Jenkins had 1 security vulnerability published. Right now, Jenkins is on track to have less security vulnerabilities in 2026 than it did last year.

Year	Vulnerabilities	Average Score
2026	0	0.00
2025	1	7.10
2024	1	8.80
2023	2	6.40
2022	0	0.00
2021	0	0.00
2020	2	0.00

It may take a day or so for new Jenkins vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent CloudBees Jenkins Security Vulnerabilities

Jenkins JDepend Plugin up to 1.3.1 XXE via outdated JDepend Maven Plugin
CVE-2025-64134 7.1 - High - October 29, 2025

Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity (XXE) attacks.

XXE

Jenkins ClassLoaderProxy fetchJar arbitrary file read (pre-2.470, 2.452.3)
CVE-2024-43044 8.8 - High - August 07, 2024

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library.

Improper Check for Unusual or Exceptional Conditions

Jenkins 2.393 & LTS 2.375.3 - Agent Connection Break Stack Trace Disclosure
CVE-2023-27904 5.3 - Medium - March 10, 2023

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers.

Jenkins DoS via Unlimited Request Parts (before 2.394, LTS 2.375.3)
CVE-2023-27901 7.5 - High - March 10, 2023

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.

Allocation of Resources Without Limits or Throttling

XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1
CVE-2015-1811 - January 15, 2020

XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via a crafted XML document.

XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1
CVE-2015-1809 - January 15, 2020

XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query.

Multiple cross-site request forgery (CSRF) vulnerabilities in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before 1.466.14.1 and 1.480.x before 1.480.4.1 allow remote attackers to hijack the authentication of administrators for requests
CVE-2013-2034 - May 14, 2014

Multiple cross-site request forgery (CSRF) vulnerabilities in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before 1.466.14.1 and 1.480.x before 1.480.4.1 allow remote attackers to hijack the authentication of administrators for requests that (1) execute arbitrary code or (2) initiate deployment of binaries to a Maven repository via unspecified vectors.

Session Riding

Cross-site scripting (XSS) vulnerability in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before 1.466.14.1 and 1.480.x before 1.480.4.1
CVE-2013-2033 - April 10, 2014

Cross-site scripting (XSS) vulnerability in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before 1.466.14.1 and 1.480.x before 1.480.4.1 allows remote authenticated users with write permission to inject arbitrary web script or HTML via unspecified vectors.

XSS

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1
CVE-2012-6074 - February 24, 2013

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for CloudBees Jenkins or by CloudBees? Click the Watch button to subscribe.

CloudBees
Vendor

CloudBees Jenkins
Product

CloudBees Jenkins

Don't miss out!

EOL Dates

By the Year

Recent CloudBees Jenkins Security Vulnerabilities

Jenkins JDepend Plugin up to 1.3.1 XXE via outdated JDepend Maven Plugin CVE-2025-64134 7.1 - High - October 29, 2025

Jenkins ClassLoaderProxy fetchJar arbitrary file read (pre-2.470, 2.452.3) CVE-2024-43044 8.8 - High - August 07, 2024

Jenkins 2.393 & LTS 2.375.3 - Agent Connection Break Stack Trace Disclosure CVE-2023-27904 5.3 - Medium - March 10, 2023

Jenkins DoS via Unlimited Request Parts (before 2.394, LTS 2.375.3) CVE-2023-27901 7.5 - High - March 10, 2023

XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 CVE-2015-1811 - January 15, 2020

XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 CVE-2015-1809 - January 15, 2020

Multiple cross-site request forgery (CSRF) vulnerabilities in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before 1.466.14.1 and 1.480.x before 1.480.4.1 allow remote attackers to hijack the authentication of administrators for requests CVE-2013-2034 - May 14, 2014

Cross-site scripting (XSS) vulnerability in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before 1.466.14.1 and 1.480.x before 1.480.4.1 CVE-2013-2033 - April 10, 2014

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 CVE-2012-6074 - February 24, 2013