CVE-2026-42523
Stored XSS in Jenkins GitHub Plugin
Publication date: 2026-04-29
Last updated on: 2026-05-05
Assigner: Jenkins Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jenkins | github | to 1.46.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Jenkins GitHub Plugin version 1.46.0 and earlier. It improperly processes the current job URL within JavaScript code that validates the feature "GitHub hook trigger for GITScm polling." This flaw results in a stored cross-site scripting (XSS) vulnerability.
An attacker who has Overall/Read permission (non-anonymous) can exploit this vulnerability by injecting malicious scripts that get stored and later executed in the context of the Jenkins web interface.
Can you explain this vulnerability to me?
This vulnerability exists in Jenkins GitHub Plugin version 1.46.0 and earlier. It occurs because the plugin improperly processes the current job URL within JavaScript code that validates the "GitHub hook trigger for GITScm polling" feature. This improper processing leads to a stored cross-site scripting (XSS) vulnerability.
The vulnerability can be exploited by non-anonymous attackers who have Overall or Read permission on the Jenkins instance.
How can this vulnerability impact me? :
The stored cross-site scripting (XSS) vulnerability allows attackers with Overall or Read permission to inject malicious scripts into the Jenkins interface.
This can lead to unauthorized actions being performed in the context of a victim's browser session, potentially compromising sensitive information, session tokens, or enabling further attacks within the Jenkins environment.
How can this vulnerability impact me? :
The impact of this vulnerability is significant due to its high CVSS score of 9.0. Successful exploitation allows an attacker with Overall/Read permission to execute arbitrary JavaScript in the context of the Jenkins server.
- Compromise of user sessions and credentials.
- Execution of unauthorized actions within Jenkins.
- Potential spread of malicious code to other users accessing the Jenkins interface.
- Disruption of continuous integration and deployment workflows.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability affects Jenkins GitHub Plugin version 1.46.0 and earlier. To mitigate this stored cross-site scripting (XSS) vulnerability, you should upgrade the GitHub Plugin to a version later than 1.46.0 where the issue is fixed.
Additionally, ensure that only trusted users have Overall/Read permissions, as the vulnerability can be exploited by non-anonymous attackers with these permissions.