CVE-2026-42524
Stored XSS in Jenkins HTML Publisher Plugin
Publication date: 2026-04-29
Last updated on: 2026-05-05
Assigner: Jenkins Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jenkins | html_publisher | to 427 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Jenkins HTML Publisher Plugin version 427 and earlier. It occurs because the plugin does not properly escape the job name and URL in the legacy wrapper file. This flaw allows attackers who have Item/Configure permission to exploit a stored cross-site scripting (XSS) vulnerability.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker with Item/Configure permission can inject malicious scripts into the Jenkins interface via the job name or URL fields. This stored XSS can lead to unauthorized actions, data theft, or session hijacking within the Jenkins environment.
Can you explain this vulnerability to me?
The vulnerability exists in the Jenkins HTML Publisher Plugin version 427 and earlier. It occurs because the plugin does not properly escape the job name and URL in the legacy wrapper file.
This flaw results in a stored cross-site scripting (XSS) vulnerability, which means that malicious scripts can be injected and stored by attackers.
Attackers who have Item/Configure permission on Jenkins can exploit this vulnerability to execute arbitrary scripts in the context of the affected Jenkins instance.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows attackers with Item/Configure permission to execute arbitrary scripts via stored XSS.
- Compromise of confidentiality: Attackers can steal sensitive information accessible through the Jenkins interface.
- Compromise of integrity: Attackers can manipulate Jenkins job configurations or data.
- Compromise of availability: Attackers might disrupt Jenkins operations or cause denial of service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Jenkins HTML Publisher Plugin 427 and earlier allows stored cross-site scripting (XSS) exploitable by attackers with Item/Configure permission. Such XSS vulnerabilities can lead to unauthorized access or manipulation of sensitive data, potentially impacting confidentiality, integrity, and availability.
While the provided context does not explicitly mention compliance with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data protection and privacy requirements mandated by these regulations. Exploitation could result in unauthorized data exposure or modification, which may lead to non-compliance with such standards.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the stored cross-site scripting (XSS) vulnerability in Jenkins HTML Publisher Plugin 427 and earlier, you should upgrade the plugin to a version later than 427 where the issue is fixed.
Additionally, restrict Item/Configure permissions to trusted users only, as the vulnerability is exploitable by attackers with this permission.