Zero Day MonitorZDM

← Back to list

9.0

CVE-2026-42523EXPLOITEDPATCHED

jenkins · github plugin

CVE-2026-42523: Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing val

Description

Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission.

Affected Products

Vendor	Product	Versions
jenkins	github plugin	0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
jenkins	jenkins	cert_advisory	90%

References

https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3704(vendor-advisory)

Related News (2 articles)

Tier B

BSI Advisories27d ago

[NEU] [hoch] Jenkins Plugins: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

VulDB28d ago

CVE-2026-42523 | Jenkins GitHub Plugin up to 1.46.0 cross site scripting

→ No new info (linked only)

CVSS 3.19.0 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3704

PublishedApr 29, 2026

Last enriched28d agov2

Trending Score1

Source articles2

Independent2

Info Completeness7/14

Missing: cvss, epss, cwe, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

Multiple Vulnerabilities in Jenkins Plugins

HIGHCVE-2026-42524EXP

CVE-2026-42524: Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in

HIGHCVE-2026-33002

Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected

MEDIUMCVE-2026-33003

Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or

HIGHCVE-2026-42520EXP

CVE-2026-42520: Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file cre

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 29, 2026

Discovered by ZDM

Apr 29, 2026

Updated: severity, activelyExploited

Apr 29, 2026

Actively Exploited

Apr 29, 2026

Patch Available

Apr 29, 2026

Version History

v2

Last enriched 28d ago

v2Tier C28d ago

Updated severity to HIGH and marked the vulnerability as actively exploited.

severityactivelyExploited

via VulDB

v128d ago

Initial creation