By rssfeeds-admin The disclosed flaw includes path traversal leading to remote code execution, stored cross-site scripting (XSS), unsafe deserialization, and open redirect flaws.
The most severe flaw patched in this advisory is CVE-2026-42520 (CVSS: High), a path traversal vulnerability in the Credentials Binding Plugin versions 719.v80e905ef14eb_ and earlier.
The plugin failed to sanitize file names for file and zip file credentials, enabling attackers who can supply credentials to a job to write files to arbitrary locations on the node filesystem.
In environments where low-privileged users are permitted to configure file or zip file credentials for jobs running on the built-in node, this vulnerability can escalate directly to remote code execution on (CI/CD) pipelines.
Jenkins Patches High-Severity Plugin Vulnerability
Jenkins has released version 720.v3f6decef43ea_ to address this issue by enforcing strict filename sanitization.
Two separate stored XSS vulnerabilities, each rated High, were identified in the GitHub Plugin and the HTML Publisher Plugin.
CVE-2026-42523 affects GitHub Plugin 1.46.0 and earlier, where improper processing of the current job URL in JavaScript tied to the “GitHub hook trigger for GITScm polling” feature allows authenticated attackers with only Overall/Read permission to execute stored XSS attacks.
The patched version 1.46.0.1 removes the vulnerable URL processing logic entirely.
CVE-2026-42524 affects HTML Publisher Plugin 427 and earlier, where the legacy wrapper file failed to escape job names and URLs, creating a stored XSS vector exploitable by attackers with Item/Configure permission.
Version 427.1 corrects the escaping behavior, though notably, this fix only applies to newly generated wrappers. Organizations running Jenkins 2.539+ or LTS 2.541.1+ can also mitigate this vulnerability by enforcing Content Security Policy (CSP).
| CVE ID | Affected Plugin | Affected Version | Vulnerability Type | Fixed Version |
|---|---|---|---|---|
| CVE-2026-42519 | Script Security Plugin | ≤ 1399.ve6a_66547f6e1 | Missing Permission Check | 1402.v94c9ce464861 |
| CVE-2026-42520 | Credentials Binding Plugin | ≤ 719.v80e905ef14eb_ | Path Traversal / RCE | 720.v3f6decef43ea_ |
| CVE-2026-42521 | Matrix Authorization Strategy Plugin | 2.0-beta-1 through 3.2.9 | Unsafe Deserialization | 3.2.10 |
| CVE-2026-42522 | GitHub Branch Source Plugin | ≤ 1967.vdea_d580c1a_b_a_ | Missing Permission Check | 1967.1969.v205fd594c821 |
| CVE-2026-42523 | GitHub Plugin | ≤ 1.46.0 | Stored XSS | 1.46.0.1 |
| CVE-2026-42524 | HTML Publisher Plugin | ≤ 427 | Stored XSS | 427.1 |
| CVE-2026-42525 | Microsoft Entra ID (Azure AD) Plugin | ≤ 666.v6060de32f87d | Open Redirect | 667.v4c5827a_e74a_0 |
All seven vulnerabilities were responsibly reported through the Jenkins Bug Bounty Program sponsored by the European Commission via the YesWeHack platform.
According to Jenkins Advisory, users are urged to immediately apply the patched plugin versions via the Jenkins Plugin Manager.
Prioritizing the Credentials Binding and GitHub Plugin updates, given their High-severity ratings and low privilege requirements for exploitation.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Jenkins Patches High-Severity Plugin Vulnerability Including Path Traversal and Stored XSS appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.