CVE-2026-57303
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
The Assembla Plugin for Jenkins version 1.4 and earlier does not configure its XML parser to prevent XXE attacks, allowing attackers to control responses from the Assembla server and extract secrets from the Jenkins controller.
Risk Assessment
Attackers can exploit this vulnerability to gain access to sensitive data or perform server-side request forgery attacks, potentially leading to serious security breaches.
Recommendation
It is recommended to update the Assembla Plugin to the latest version that improves the XML parser configuration to prevent XXE attacks.
Original NVD description (English source)
Jenkins Assembla Plugin 1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers able to control the responses of the configured Assembla server to extract secrets from the Jenkins controller or perform server-side request forgery.

