Jenkins Jenkins CI / CD Server
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Jenkins product.
RSS Feeds for Jenkins security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Jenkins products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Jenkins Sorted by Most Security Vulnerabilities since 2018
Recent Jenkins Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2026-06-24 | Jenkins Security Advisory 2026-06-24 | June 24, 2026 |
| 2026-06-10 | Jenkins Security Advisory 2026-06-10 | June 10, 2026 |
| 2026-05-27 | Jenkins Security Advisory 2026-05-27 | May 27, 2026 |
| 2026-04-29 | Jenkins Security Advisory 2026-04-29 | April 29, 2026 |
| 2026-03-18 | Jenkins Security Advisory 2026-03-18 | March 18, 2026 |
| 2026-02-18 | Jenkins Security Advisory 2026-02-18 | February 18, 2026 |
| 2025-12-10 | Jenkins Security Advisory 2025-12-10 | December 10, 2025 |
| 2025-10-29 | Jenkins Security Advisory 2025-10-29 | October 29, 2025 |
| 2025-09-17 | Jenkins Security Advisory 2025-09-17 | September 17, 2025 |
| 2025-09-03 | Jenkins Security Advisory 2025-09-03 | September 3, 2025 |
Known Exploited Jenkins Vulnerabilities
The following Jenkins vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Jenkins Remote Code Execution Vulnerability |
Jenkins contains a remote code execution vulnerability. This vulnerability that could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism. CVE-2017-1000353 Exploit Probability: 99.7% |
October 2, 2025 |
| Jenkins Command Line Interface (CLI) Path Traversal Vulnerability |
Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead to code execution. CVE-2024-23897 Exploit Probability: 100.0% |
August 19, 2024 |
| Jenkins User Interface (UI) Information Disclosure Vulnerability |
Jenkins User Interface (UI) contains an information disclosure vulnerability that allows users to see the names of jobs and builds otherwise inaccessible to them on the "Fingerprints" pages. CVE-2015-5317 Exploit Probability: 22.4% |
May 12, 2023 |
| Jenkins Script Security Plugin Sandbox Bypass Vulnerability |
Jenkins Script Security Plugin contains a protection mechanism failure, allowing an attacker to bypass the sandbox. CVE-2019-1003029 Exploit Probability: 73.9% |
April 25, 2022 |
| Jenkins Matrix Project Plugin Remote Code Execution Vulnerability |
Jenkins Matrix Project plugin contains a vulnerability which can allow users to escape the sandbox, opening opportunity to perform remote code execution. CVE-2019-1003030 Exploit Probability: 75.6% |
March 25, 2022 |
| Jenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability |
A code execution vulnerability exists in the Stapler web framework used by Jenkins CVE-2018-1000861 Exploit Probability: 98.3% |
February 10, 2022 |
Of the known exploited vulnerabilities above, 5 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. The vulnerability CVE-2015-5317: Jenkins User Interface (UI) Information Disclosure Vulnerability is in the top 5% of the currently known exploitable vulnerabilities.
By the Year
In 2026 there have been 63 vulnerabilities in Jenkins with an average score of 5.8 out of ten. Last year, in 2025 Jenkins had 90 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Jenkins in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.28.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 63 | 5.79 |
| 2025 | 90 | 5.51 |
| 2024 | 32 | 6.18 |
| 2023 | 255 | 6.36 |
| 2022 | 389 | 6.16 |
| 2021 | 102 | 6.51 |
| 2020 | 228 | 6.00 |
| 2019 | 345 | 6.88 |
| 2018 | 120 | 6.45 |
It may take a day or so for new Jenkins vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Jenkins Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-57307 | Jun 24, 2026 |
Jenkins Zowe zDevOps Plugin <=1.1.3.50 ve missing permission checkA missing permission check in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. |
|
| CVE-2026-57305 | Jun 24, 2026 |
Jenkins Assembla Plugin <1.4 CSRF Allows Remote URL ConnectionsA cross-site request forgery (CSRF) vulnerability in Jenkins Assembla Plugin 1.4 and earlier allows attackers to connect to an attacker-specified URL using an attacker-specified username and password. |
|
| CVE-2026-57306 | Jun 24, 2026 |
CSRF in Jenkins Zowe zDevOps Plugin <1.1.3.50 captures credsA cross-site request forgery (CSRF) vulnerability in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. |
|
| CVE-2026-57303 | Jun 24, 2026 |
Jenkins Assembla Plugin XXE (v1.4 and below)Jenkins Assembla Plugin 1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers able to control the responses of the configured Assembla server to extract secrets from the Jenkins controller or perform server-side request forgery. |
|
| CVE-2026-57304 | Jun 24, 2026 |
Permissions Bypass in Jenkins Assembla Plugin <=1.4A missing permission check in Jenkins Assembla Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username and password. |
|
| CVE-2026-57302 | Jun 24, 2026 |
Jenkins FitNesse Plugin <=1.36 Exposes Passwords in config.xml (Extended Read)Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system. |
|
| CVE-2026-57300 | Jun 24, 2026 |
Jenkins MCP Server Plugin 0.177.x - Perm Bypass: Read Replay Scripts Item/ReadA missing permission check in Jenkins MCP Server Plugin 0.177.v629fdb_2557fe and earlier allows attackers with Item/Read permission to read the Pipeline replay scripts of jobs they can access. |
|
| CVE-2026-57301 | Jun 24, 2026 |
Jenkins OWASP ZAP Plugin <1.0.7 RCE via Controller Build OpsJenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller. |
|
| CVE-2026-57299 | Jun 24, 2026 |
Missing perm checks in Jenkins Contrast Plugin 3.11 metadata enumerationMissing permission checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow attackers with Overall/Read permission to enumerate the names of configured Contrast metadata. |
|
| CVE-2026-57298 | Jun 24, 2026 |
CSRF in Jenkins Contrast CASP Plugin 3.11: External URL ExploitA cross-site request forgery (CSRF) vulnerability in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers to have Jenkins connect to an attacker-specified URL using an attacker-specified username, API key, and service key. |
|
| CVE-2026-57297 | Jun 24, 2026 |
Permission Bypass in Jenkins Contrast Plugin <=3.11 via attacker-specified URLA missing permission check in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, API key, and service key. |
|
| CVE-2026-57296 | Jun 24, 2026 |
Jenkins External Workspace Manager Plugin 1.3.2 Path Traversal RCEJenkins External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided to the exwsAllocate Pipeline step, allowing attackers with Item/Configure permission to read arbitrary files on the Jenkins controller file system, which can lead to remote code execution. |
|
| CVE-2026-57295 | Jun 24, 2026 |
CSRF via Jenkins EC2 Fleet Plugin 4.2.3.539 allows AWS cred theftA cross-site request forgery (CSRF) vulnerability in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins. |
|
| CVE-2026-57294 | Jun 24, 2026 |
Missing perm check in Jenkins EC2 Fleet Plugin 4.2.3.539 Credential LeakA missing permission check in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins. |
|
| CVE-2026-57293 | Jun 24, 2026 |
Jenkins Gitee Plugin Permission Bypass Enumerates Credential IDsAn incorrect permission check in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins. |
|
| CVE-2026-57292 | Jun 24, 2026 |
CSRF in Jenkins Gitee Plugin enables external URL call with credsA cross-site request forgery (CSRF) vulnerability in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method. |
|
| CVE-2026-57291 | Jun 24, 2026 |
Missing Permission Checks in Jenkins Gitee Plugin Allow URL HijackMissing permission checks in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method. |
|
| CVE-2026-57290 | Jun 24, 2026 |
CSRF in Jenkins Priority Sorter Plugin allows global job priority overrideA cross-site request forgery (CSRF) vulnerability in Jenkins Priority Sorter Plugin 936.v2c01c6b_84449 and earlier allows attackers to overwrite the global job priority configuration. |
|
| CVE-2026-57289 | Jun 24, 2026 |
Jenkins Bitbucket Push/Pull Plugin <=3.3.8: SSL/TLS Validation BypassJenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to capture the token. |
|
| CVE-2026-57288 | Jun 24, 2026 |
Jenkins AD Plugin <2.41.1: LDAP Filter Injection via Unescaped UsernameJenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native (ADSI) authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a matching user whose password they know without knowing their exact user name. |
|
| CVE-2026-57287 | Jun 24, 2026 |
Jenkins Job Config History Plugin Exposes Encrypted Secrets via HistoryJenkins Job Configuration History Plugin 1356.ve360da_6c523a_ and earlier does not redact the encrypted values of secrets when displaying historical job and agent configurations, allowing attackers with Extended Read permission to view encrypted secret values that would otherwise be redacted. |
|
| CVE-2026-57286 | Jun 24, 2026 |
Jenkins Git Param Plugin Missing Permission Check Allows Info DisclosureA missing permission check in Jenkins Git Parameter Plugin 462.vdcf3df2ed2ca_ and earlier allows attackers with Item/Read permission to obtain information about the SCM repository used by a job, such as branch names, tag names, and revision metadata. |
|
| CVE-2026-57285 | Jun 24, 2026 |
Permission Bypass in Jenkins GitHub Branch Source <=1967.1969 Reveals URLsA missing permission check in Jenkins GitHub Branch Source Plugin 1967.1969.v205fd594c821 and earlier allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise servers configured in the global plugin configuration. |
|
| CVE-2026-57284 | Jun 24, 2026 |
Unauthorized Type Instantiation via Pipeline Snippet GeneratorJenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps. |
|
| CVE-2026-57283 | Jun 24, 2026 |
CSRF in Jenkins Pipeline Groovy Plugin via Snippet GeneratorA cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier allows attackers to instantiate types related to job or system configuration other than Pipeline steps through the Pipeline Snippet Generator. |
|
| CVE-2026-57282 | Jun 24, 2026 |
Jenkins Git Client Plugin 6.6.0 OS Command Injection via Unescaped Workspace DirJenkins Git client Plugin 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into a generated SSH wrapper script, allowing attackers able to control the name of a build's working directory to execute arbitrary operating system commands on the agent. |
|
| CVE-2026-57281 | Jun 24, 2026 |
Jenkins Script Security Plugin AST Annotation Extension EscalationJenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script. |
|
| CVE-2026-57280 | Jun 24, 2026 |
Jenkins Script Security Plugin: Groovy Typed For-Each Loop Sandbox BypassJenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loops in sandboxed Groovy scripts, allowing attackers able to provide such scripts to invoke arbitrary constructors and bypass the sandbox protection. |
|
| CVE-2026-53442 | Jun 10, 2026 |
Jenkins <=2.567 & LTS <=2.555.2: Unencrypted secrets in config.xmlJenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system. |
|
| CVE-2026-53441 | Jun 10, 2026 |
Stored XSS via POST config.xml API in Jenkins 2.483-2.567 & LTS 2.492.1-2.555.2Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission. |
|
| CVE-2026-53440 | Jun 10, 2026 |
Jenkins 2.567 & LTS 2.555.2: Delegated Redirect PhishJenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled domain. |
|
| CVE-2026-53439 | Jun 10, 2026 |
Jenkins <2.567 / <2.555.2: Missing Permission Check Exposes Usr tz & ViewsMissing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views". |
|
| CVE-2026-53438 | Jun 10, 2026 |
Jenkins LTS 2.555.2: missing perm check cancels unauthorized queue itemsA missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view. |
|
| CVE-2026-53437 | Jun 10, 2026 |
Jenkins <=2.567 & LTS <=2.555.2 Login Redirect Phishing via Obfuscated SlashesJenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between `//`, allowing attackers to perform phishing attacks. |
|
| CVE-2026-53436 | Jun 10, 2026 |
Jenkins <2.567 & LTS <2.555.2: Redirect Path Spoofing Enables PhishingJenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (`./` or `../`), allowing attackers to perform phishing attacks. |
|
| CVE-2026-53435 | Jun 10, 2026 |
Jenkins deserialization flaw in config.xml before 2.567 / LTS 2.555.2In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller. |
|
| CVE-2026-9674 | May 27, 2026 |
CSRF in Jenkins Multijob Plugin enables resuming failed buildsA cross-site request forgery (CSRF) vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6b_b_d and earlier allows attackers to resume failed Multijob builds. |
|
| CVE-2026-48927 | May 27, 2026 |
Jenkins buildgraph-view Plugin 1.8 XSS via Unescaped Build URLJenkins buildgraph-view Plugin 1.8 and earlier does not escape the build URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or views. |
|
| CVE-2026-48926 | May 27, 2026 |
Jenkins Job Import Plugin Credential Enumeration via Unchecked PermissionJenkins Job Import Plugin 143.v044a_2e819b_27 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. |
|
| CVE-2026-48925 | May 27, 2026 |
Jenkins GitHub Integration Plugin <=0.7.3 CSRF Allows Build TriggerA cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows attackers to attackers to trigger a build for a pull request. |
|
| CVE-2026-48923 | May 27, 2026 |
Permission Bypass in Jenkins AppSpider Plugin <=1.0.17Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL. |
|
| CVE-2026-48924 | May 27, 2026 |
Jenkins Bitbucket OAuth Plugin <=0.17 Unrestricts Redirect URL Phishing VulnJenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks. |
|
| CVE-2026-48922 | May 27, 2026 |
Jenkins Credentials Binding Plugin RCE via Unsanitized FilenamesJenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node. |
|
| CVE-2026-48921 | May 27, 2026 |
Jenkins Groovy Libs Plugin: Symlink Exploit Allows Arbitrary File ReadJenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem. |
|
| CVE-2026-48920 | May 27, 2026 |
Jenkins Email Extension Plugin Base64 Image Inlining Enables File AccessJenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute, without restrictions on the image URLs that can be inlined, allowing attackers able to control the email content to specify `file:` URLs for images to read arbitrary files from the Jenkins controller filesystem. |
|
| CVE-2026-48919 | May 27, 2026 |
Jenkins AD Plugin 2.41 LDAP Referral Deserialization VulnerabilityJenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation. |
|
| CVE-2026-48918 | May 27, 2026 |
Jenkins AD Plugin <=2.41 LDAP Referrals BypassJenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals by default. |
|
| CVE-2026-48917 | May 27, 2026 |
Jenkins LDAP Plugin: Insecure Deserialization of LDAP Referral DataJenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation. |
|
| CVE-2026-48916 | May 27, 2026 |
LDAP Referral Vulnerability in Jenkins LDAP PluginJenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals. |
|
| CVE-2018-25332 | May 17, 2026 |
GitBucket 4.23.1 RCE via weak secret token & insecure uploadGitBucket 4.23.1 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands by exploiting weak secret token generation and insecure file upload functionality. Attackers can brute-force the Blowfish encryption key, upload a malicious JAR plugin via the git-lfs endpoint, and execute system commands through an exposed exploit endpoint. |
|