CVE-2026-42524
Analyzed Analyzed - Analysis Complete
Stored XSS in Jenkins HTML Publisher Plugin

Publication date: 2026-04-29

Last updated on: 2026-05-05

Assigner: Jenkins Project

Description
Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-04-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42524
EUVD
EUVD-2026-26226
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jenkins html_publisher to 427 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Jenkins HTML Publisher Plugin version 427 and earlier. It occurs because the plugin does not properly escape the job name and URL in the legacy wrapper file. This flaw allows attackers who have Item/Configure permission to exploit a stored cross-site scripting (XSS) vulnerability.

Impact Analysis

The impact of this vulnerability is that an attacker with Item/Configure permission can inject malicious scripts into the Jenkins interface via the job name or URL fields. This stored XSS can lead to unauthorized actions, data theft, or session hijacking within the Jenkins environment.

Executive Summary

The vulnerability exists in the Jenkins HTML Publisher Plugin version 427 and earlier. It occurs because the plugin does not properly escape the job name and URL in the legacy wrapper file.

This flaw results in a stored cross-site scripting (XSS) vulnerability, which means that malicious scripts can be injected and stored by attackers.

Attackers who have Item/Configure permission on Jenkins can exploit this vulnerability to execute arbitrary scripts in the context of the affected Jenkins instance.

Impact Analysis

This vulnerability can have severe impacts because it allows attackers with Item/Configure permission to execute arbitrary scripts via stored XSS.

  • Compromise of confidentiality: Attackers can steal sensitive information accessible through the Jenkins interface.
  • Compromise of integrity: Attackers can manipulate Jenkins job configurations or data.
  • Compromise of availability: Attackers might disrupt Jenkins operations or cause denial of service.
Compliance Impact

The vulnerability in Jenkins HTML Publisher Plugin 427 and earlier allows stored cross-site scripting (XSS) exploitable by attackers with Item/Configure permission. Such XSS vulnerabilities can lead to unauthorized access or manipulation of sensitive data, potentially impacting confidentiality, integrity, and availability.

While the provided context does not explicitly mention compliance with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data protection and privacy requirements mandated by these regulations. Exploitation could result in unauthorized data exposure or modification, which may lead to non-compliance with such standards.

Mitigation Strategies

To mitigate the stored cross-site scripting (XSS) vulnerability in Jenkins HTML Publisher Plugin 427 and earlier, you should upgrade the plugin to a version later than 427 where the issue is fixed.

Additionally, restrict Item/Configure permissions to trusted users only, as the vulnerability is exploitable by attackers with this permission.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42524. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart