CVE-2026-42523
Analyzed Analyzed - Analysis Complete
Stored XSS in Jenkins GitHub Plugin

Publication date: 2026-04-29

Last updated on: 2026-05-05

Assigner: Jenkins Project

Description
Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-04-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42523
EUVD
EUVD-2026-26225
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jenkins github to 1.46.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Jenkins GitHub Plugin version 1.46.0 and earlier. It occurs because the plugin improperly processes the current job URL within JavaScript code that validates the "GitHub hook trigger for GITScm polling" feature. This improper processing leads to a stored cross-site scripting (XSS) vulnerability.

The vulnerability can be exploited by non-anonymous attackers who have Overall or Read permission on the Jenkins instance.

Impact Analysis

The stored cross-site scripting (XSS) vulnerability allows attackers with Overall or Read permission to inject malicious scripts into the Jenkins interface.

This can lead to unauthorized actions being performed in the context of a victim's browser session, potentially compromising sensitive information, session tokens, or enabling further attacks within the Jenkins environment.

Executive Summary

This vulnerability exists in the Jenkins GitHub Plugin version 1.46.0 and earlier. It improperly processes the current job URL within JavaScript code that validates the feature "GitHub hook trigger for GITScm polling." This flaw results in a stored cross-site scripting (XSS) vulnerability.

An attacker who has Overall/Read permission (non-anonymous) can exploit this vulnerability by injecting malicious scripts that get stored and later executed in the context of the Jenkins web interface.

Impact Analysis

The impact of this vulnerability is significant due to its high CVSS score of 9.0. Successful exploitation allows an attacker with Overall/Read permission to execute arbitrary JavaScript in the context of the Jenkins server.

  • Compromise of user sessions and credentials.
  • Execution of unauthorized actions within Jenkins.
  • Potential spread of malicious code to other users accessing the Jenkins interface.
  • Disruption of continuous integration and deployment workflows.
Mitigation Strategies

The vulnerability affects Jenkins GitHub Plugin version 1.46.0 and earlier. To mitigate this stored cross-site scripting (XSS) vulnerability, you should upgrade the GitHub Plugin to a version later than 1.46.0 where the issue is fixed.

Additionally, ensure that only trusted users have Overall/Read permissions, as the vulnerability can be exploited by non-anonymous attackers with these permissions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42523. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart