org.jenkins-ci.main:jenkins-core (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.jenkins-ci.main:jenkins-core, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (200)
CVE-2021-21696 — CVSS 9.8 (critical): Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories…
CVE-2021-21694 — CVSS 9.8 (critical): FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in…
CVE-2021-21693 — CVSS 9.8 (critical): When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318…
CVE-2021-21692 — CVSS 9.8 (critical): FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read'…
CVE-2016-9299 — CVSS 9.8 (critical): The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized…
CVE-2017-1000362 — CVSS 9.8 (critical): The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a…
CVE-2016-0791 — CVSS 9.8 (critical): Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote…
CVE-2016-0788 — CVSS 9.8 (critical): The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP…
CVE-2021-21690 — CVSS 9.8 (critical): Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and…
CVE-2021-21691 — CVSS 9.8 (critical): Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS…
CVE-2023-27898 — CVSS 9.6 (critical): Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin…
CVE-2021-21697 — CVSS 9.1 (critical): Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins…
CVE-2021-21685 — CVSS 9.1 (critical): Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in…
CVE-2021-21689 — CVSS 9.1 (critical): FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins 2.318 and earlier, LTS 2.303.2 and…
CVE-2021-21687 — CVSS 9.1 (critical): Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchiving a…
CVE-2018-1999001 — CVSS 8.8 (high): A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that…
CVE-2012-4438 — CVSS 8.8 (high): Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers with read access and HTTP access to Jenkins master to insert data…
CVE-2020-2160 — CVSS 8.8 (high): Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft…
CVE-2017-2608 — CVSS 8.8 (high): Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types…
CVE-2015-7538 — CVSS 8.8 (high): Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.
CVE-2026-33001 — CVSS 8.8 (high): Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz…
CVE-2017-1000356 — CVSS 8.8 (high): Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication…
CVE-2024-23898 — CVSS 8.8 (high): Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests…
CVE-2021-21695 — CVSS 8.8 (high): FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and…
CVE-2024-43044 — CVSS 8.8 (high): Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system…
CVE-2019-10384 — CVSS 8.8 (high): Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in…
CVE-2023-43496 — CVSS 8.8 (high): Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions…
CVE-2016-0792 — CVSS 8.8 (high): Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary…
CVE-2015-7537 — CVSS 8.8 (high): Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the…
CVE-2017-1000393 — CVSS 8.8 (high): Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method…
CVE-2017-1000354 — CVSS 8.8 (high): Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any…
CVE-2020-2099 — CVSS 8.6 (high): Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3…
CVE-2018-1000863 — CVSS 8.2 (high): A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows…
CVE-2017-1000503 — CVSS 8.1 (high): A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands…
CVE-2019-1003049 — CVSS 8.1 (high): Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated…
CVE-2017-1000504 — CVSS 8.1 (high): A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands…
CVE-2023-43498 — CVSS 8.1 (high): In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the…
CVE-2023-43497 — CVSS 8.1 (high): In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in…
CVE-2021-21686 — CVSS 8.1 (high): File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canonicalize…
CVE-2018-1000194 — CVSS 8.1 (high): A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that…
CVE-2021-21604 — CVSS 8.0 (high): Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject…
CVE-2021-21605 — CVSS 8.0 (high): Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to…
CVE-2026-27099 — CVSS 8.0 (high): Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of…
CVE-2023-35141 — CVSS 8.0 (high): In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the…
CVE-2018-1000410 — CVSS 7.8 (high): An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these…
CVE-2022-34174 — CVSS 7.5 (high): In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between…
CVE-2019-10353 — CVSS 7.5 (high): CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass…
CVE-2022-34175 — CVSS 7.5 (high): Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing…
CVE-2017-1000394 — CVSS 7.5 (high): Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability…
CVE-2025-67635 — CVSS 7.5 (high): Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes…
CVE-2021-21671 — CVSS 7.5 (high): Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.
CVE-2015-5325 — CVSS 7.5 (high): Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP…
CVE-2018-1999002 — CVSS 7.5 (high): A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's…
CVE-2026-33002 — CVSS 7.5 (high): Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made…
CVE-2015-7539 — CVSS 7.5 (high): The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site…
CVE-2023-27900 — CVSS 7.5 (high): Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of…
CVE-2018-1999043 — CVSS 7.5 (high): A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java…
CVE-2014-2063 — CVSS 7.5 (high): Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.
CVE-2023-27901 — CVSS 7.5 (high): Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of…
CVE-2014-3666 — CVSS 7.5 (high): Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.
CVE-2015-1811 — CVSS 7.5 (high): XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary…
CVE-2022-0538 — CVSS 7.5 (high): Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been updated to apply the protections…
CVE-2021-21688 — CVSS 7.5 (high): The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not reject…
CVE-2015-1814 — CVSS 7.5 (high): The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API…
CVE-2012-0785 — CVSS 7.5 (high): Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424.x before…
CVE-2013-0329 — CVSS 7.5 (high): Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism…
CVE-2015-1809 — CVSS 7.5 (high): XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary…
CVE-2016-3726 — CVSS 7.4 (high): Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary…
CVE-2017-1000391 — CVSS 7.3 (high): Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as…
CVE-2019-1003004 — CVSS 7.2 (high): An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/A…
CVE-2019-1003003 — CVSS 7.2 (high): An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/T…
CVE-2023-27899 — CVSS 7.0 (high): Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions…
CVE-2013-0327 — CVSS 6.8 (medium): Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to…
CVE-2015-5318 — CVSS 6.8 (medium): Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for…
CVE-2014-3665 — CVSS 6.8 (medium): Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote…
CVE-2014-2066 — CVSS 6.8 (medium): Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors…
CVE-2013-2034 — CVSS 6.8 (medium): Multiple cross-site request forgery (CSRF) vulnerabilities in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before…
CVE-2018-6356 — CVSS 6.5 (medium): Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs…
CVE-2018-1000408 — CVSS 6.5 (medium): A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonP…
CVE-2018-1000406 — CVSS 6.5 (medium): A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameter…
CVE-2014-2058 — CVSS 6.5 (medium): BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute…
CVE-2014-2059 — CVSS 6.5 (medium): Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2…
CVE-2014-2062 — CVSS 6.5 (medium): Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated…
CVE-2015-1806 — CVSS 6.5 (medium): The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job…
CVE-2021-21683 — CVSS 6.5 (medium): The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows, resulting…
CVE-2015-5323 — CVSS 6.5 (medium): Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain…
CVE-2021-21607 — CVSS 6.5 (medium): Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing…
CVE-2021-21602 — CVSS 6.5 (medium): Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archived…
CVE-2016-3724 — CVSS 6.5 (medium): Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password…
CVE-2017-1000355 — CVSS 6.5 (medium): Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate…
CVE-2019-10352 — CVSS 6.5 (medium): A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.j…
CVE-2018-1999047 — CVSS 6.5 (medium): A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers…
CVE-2018-1999044 — CVSS 6.5 (medium): A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with…
CVE-2018-1000997 — CVSS 6.5 (medium): A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in…
CVE-2018-1000864 — CVSS 6.5 (medium): A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with…
CVE-2024-43045 — CVSS 6.3 (medium): Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with…
CVE-2021-21610 — CVSS 6.1 (medium): Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup…
CVE-2018-1000407 — CVSS 6.1 (medium): A cross-site scripting vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/Api.jav…
CVE-2012-4439 — CVSS 6.1 (medium): Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or…
CVE-2016-0789 — CVSS 6.1 (medium): CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to…
CVE-2014-3663 — CVSS 6.0 (medium): Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended…
CVE-2017-1000396 — CVSS 5.9 (medium): Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that…
CVE-2020-2100 — CVSS 5.8 (medium): Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP amplification reflection denial of service attack on port 33848.
CVE-2012-6073 — CVSS 5.8 (medium): Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x…
CVE-2026-53441 — CVSS 5.4 (medium): Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of…
CVE-2015-7536 — CVSS 5.4 (medium): Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject…
CVE-2017-2599 — CVSS 5.4 (medium): Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new…
CVE-2017-2601 — CVSS 5.4 (medium): Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353)…
CVE-2017-2610 — CVSS 5.4 (medium): jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping…
CVE-2017-2612 — CVSS 5.4 (medium): In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in…
CVE-2017-2613 — CVSS 5.4 (medium): jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained…
CVE-2018-1000170 — CVSS 5.4 (medium): A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and…
CVE-2018-1000409 — CVSS 5.4 (medium): A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPr…
CVE-2018-1999005 — CVSS 5.4 (medium): A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java…
CVE-2018-1999007 — CVSS 5.4 (medium): A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's…
CVE-2018-1999045 — CVSS 5.4 (medium): A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java…
CVE-2019-1003050 — CVSS 5.4 (medium): The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1…
CVE-2019-10401 — CVSS 5.4 (medium): In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded…
CVE-2019-10402 — CVSS 5.4 (medium): In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a…
CVE-2019-10403 — CVSS 5.4 (medium): Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a…
CVE-2019-10404 — CVSS 5.4 (medium): Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a…
CVE-2019-10405 — CVSS 5.4 (medium): Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing…
CVE-2020-2103 — CVSS 5.4 (medium): Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page.
CVE-2020-2105 — CVSS 5.4 (medium): REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks.
CVE-2020-2161 — CVSS 5.4 (medium): Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label…
CVE-2020-2162 — CVSS 5.4 (medium): Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a…
CVE-2020-2163 — CVSS 5.4 (medium): Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view column headers, resulting in a stored XSS…
CVE-2020-2220 — CVSS 5.4 (medium): Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored…
CVE-2020-2221 — CVSS 5.4 (medium): Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause…
CVE-2020-2222 — CVSS 5.4 (medium): Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, resulting…
CVE-2020-2223 — CVSS 5.4 (medium): Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape correctly the 'href' attribute of links to downstream jobs displayed in…
CVE-2020-2229 — CVSS 5.4 (medium): Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons, resulting in a stored cross-site…
CVE-2020-2230 — CVSS 5.4 (medium): Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored…
CVE-2020-2231 — CVSS 5.4 (medium): Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds…
CVE-2021-21603 — CVSS 5.4 (medium): Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents, resulting in a cross-site scripting…
CVE-2021-21608 — CVSS 5.4 (medium): Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting…
CVE-2021-21611 — CVSS 5.4 (medium): Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page…
CVE-2022-34170 — CVSS 5.4 (medium): In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the…
CVE-2022-34171 — CVSS 5.4 (medium): In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new…
CVE-2022-34172 — CVSS 5.4 (medium): In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, resulting in…
CVE-2022-34173 — CVSS 5.4 (medium): In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports HTML without escaping the job…
CVE-2022-41224 — CVSS 5.4 (medium): Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the…
CVE-2023-39151 — CVSS 5.4 (medium): Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into…
CVE-2023-43495 — CVSS 5.4 (medium): Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the 'caption' constructor parameter of…
CVE-2025-27624 — CVSS 5.4 (medium): A cross-site request forgery (CSRF) vulnerability in Jenkins 2.499 and earlier, LTS 2.492.1 and earlier allows attackers to have users…
CVE-2023-27904 — CVSS 5.3 (medium): Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken…
CVE-2021-21609 — CVSS 5.3 (medium): Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing…
CVE-2020-2101 — CVSS 5.3 (medium): Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which…
CVE-2018-1000068 — CVSS 5.3 (medium): An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an…
CVE-2021-21615 — CVSS 5.3 (medium): Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a…
CVE-2020-2102 — CVSS 5.3 (medium): Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC.
CVE-2018-1999042 — CVSS 5.3 (medium): A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a…
CVE-2025-59474 — CVSS 5.3 (medium): Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible…
CVE-2018-1000067 — CVSS 5.3 (medium): An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker…
CVE-2018-1000169 — CVSS 5.3 (medium): An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and…
CVE-2014-9635 — CVSS 5.3 (medium): Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which…
CVE-2014-9634 — CVSS 5.3 (medium): Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote…
CVE-2025-59476 — CVSS 5.3 (medium): Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified…
CVE-2016-0790 — CVSS 5.3 (medium): Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote…
CVE-2014-3662 — CVSS 5.0 (medium): Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.
CVE-2014-2060 — CVSS 5.0 (medium): The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified…
CVE-2015-5324 — CVSS 5.0 (medium): Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.
CVE-2014-2064 — CVSS 5.0 (medium): The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows…
CVE-2015-5322 — CVSS 5.0 (medium): Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and…
CVE-2015-5321 — CVSS 5.0 (medium): The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to…
CVE-2015-5320 — CVSS 5.0 (medium): Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote…
CVE-2015-5319 — CVSS 5.0 (medium): XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote…
CVE-2014-3661 — CVSS 5.0 (medium): Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related…
CVE-2014-2061 — CVSS 5.0 (medium): The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords…
CVE-2019-10406 — CVSS 4.8 (medium): Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration…
CVE-2017-1000392 — CVSS 4.8 (medium): Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted…
CVE-2019-10383 — CVSS 4.8 (medium): A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer…
CVE-2017-17383 — CVSS 4.7 (medium): Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form…
CVE-2015-1810 — CVSS 4.6 (medium): The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using…
CVE-2023-27903 — CVSS 4.4 (medium): Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions…
CVE-2012-6072 — CVSS 4.3 (medium): CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x…
CVE-2017-2611 — CVSS 4.3 (medium): Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs…
CVE-2013-5573 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web…
CVE-2016-3727 — CVSS 4.3 (medium): The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read…
CVE-2013-0328 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web…
CVE-2020-2104 — CVSS 4.3 (medium): Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart.
CVE-2016-3725 — CVSS 4.3 (medium): Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a…
CVE-2024-47803 — CVSS 4.3 (medium): Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form…
CVE-2024-47804 — CVSS 4.3 (medium): If an attempt is made to create an item of a type prohibited by `ACL#hasCreatePermission2` or `TopLevelItemDescriptor#isApplicableIn(ItemGro…
CVE-2025-27622 — CVSS 4.3 (medium): Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via…
CVE-2025-27623 — CVSS 4.3 (medium): Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of views via…
CVE-2025-27625 — CVSS 4.3 (medium): In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier, redirects starting with backslash (`\`) characters are considered safe, allowing…
CVE-2025-31720 — CVSS 4.3 (medium): A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but…
CVE-2025-31721 — CVSS 4.3 (medium): A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but…
CVE-2025-59475 — CVSS 4.3 (medium): Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu…
CVE-2016-3723 — CVSS 4.3 (medium): Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation…
CVE-2016-3722 — CVSS 4.3 (medium): Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to…
CVE-2016-3721 — CVSS 4.3 (medium): Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build…
CVE-2021-21606 — CVSS 4.3 (medium): Jenkins 2.274 and earlier, LTS 2.263.1 and earlier improperly validates the format of a provided fingerprint ID when checking for its…
CVE-2015-5326 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote…
CVE-2025-67636 — CVSS 4.3 (medium): A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to view…