CVE-2026-42524EXPLOITEDPATCHED

jenkins · html publisher plugin

CVE-2026-42524: Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in

Description

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Affected Products

Vendor	Product	Versions
jenkins	html publisher plugin	0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
jenkins	jenkins	cert_advisory	90%

References

https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3706(vendor-advisory)

Related News (3 articles)

Tier B

BSI Advisories27d ago

[NEU] [hoch] Jenkins Plugins: Mehrere Schwachstellen

→ No new info (linked only)

Tier B

CCCS Canada28d ago

Jenkins security advisory (AV26-403)

→ No new info (linked only)

Tier C

VulDB28d ago

CVE-2026-42524 | Jenkins HTML Publisher Plugin up to 427 cross site scripting

→ No new info (linked only)

CVSS 3.18.0 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3706

PublishedApr 29, 2026

Last enriched28d agov3

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

PRE-CVE

Multiple Vulnerabilities in Jenkins Plugins

Trending: 20

CRITICALCVE-2026-42523EXP

CVE-2026-42523: Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing val

Trending: 1

HIGHCVE-2026-33002

Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected

Trending: 1

MEDIUMCVE-2026-33003

Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or

Trending: 1

HIGHCVE-2026-42520EXP

CVE-2026-42520: Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file cre

Trending: 1

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 29, 2026

Discovered by ZDM

Apr 29, 2026

Updated: severity

Apr 29, 2026

Updated: affectedVersions, exploitAvailable, activelyExploited, tags

Apr 29, 2026

Actively Exploited

Apr 29, 2026

Exploit Available

Apr 29, 2026

Patch Available

Apr 29, 2026

Version History

Last enriched 28d ago

v3Tier B28d ago

Updated affected versions, marked exploit as available and actively exploited, and added a security advisory tag.

affectedVersionsexploitAvailableactivelyExploitedtags

via CCCS Canada

v2Tier C28d ago

Updated severity to HIGH and corrected exploit availability to false.

severity

via VulDB

v128d ago

Initial creation