CVE Catalog

CVE-2026-42523

Critical
Published: Translated: NVD NIST

Summary

Jenkins GitHub Plugin version 1.46.0 and earlier improperly processes the current job URL in JavaScript, leading to a stored XSS vulnerability. Attackers with Overall/Read permissions can exploit this flaw.

Risk Assessment

The organization may be exposed to XSS attacks, potentially leading to data theft or session hijacking. Specifically, attackers can inject malicious code that will execute in the victim's browser context.

Recommendation

It is recommended to update the Jenkins GitHub Plugin to the latest version to mitigate this vulnerability. Additionally, access to Overall/Read permissions should be restricted to trusted users.

Original NVD description (English source)

Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS