CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.get_avatar function.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in reference_document, leading to script execution when users open the affected Auto Repeat form.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component.
OpenText Access Manager versions 5.1 through 5.1.2 are vulnerable to Cross-Site Scripting (XSS) due to improper input neutralization during web page generation. This allows an attacker to inject malicious JavaScript into a victim's browser.
A missing permission check in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
A CSRF vulnerability in Jenkins Zowe zDevOps Plugin version 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
The Assembla Plugin in Jenkins versions 1.4 and earlier has a CSRF vulnerability that allows attackers to connect to an attacker-specified URL using an attacker-specified username and password.
A missing permission check in Jenkins Assembla Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username and password.
Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
A missing permission check in Jenkins MCP Server Plugin 0.177.v629fdb_2557fe and earlier allows attackers with Item/Read permission to read the Pipeline replay scripts of jobs they can access.
Missing permission checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow attackers with Overall/Read permission to enumerate the names of configured Contrast metadata.
The Jenkins Contrast Continuous Application Security Plugin version 3.11 and earlier contains a cross-site request forgery (CSRF) vulnerability that allows attackers to force Jenkins to connect to an attacker-specified URL using an attacker-specified username, API key, and service key.
A missing permission check in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, API key, and service key.
A CSRF vulnerability in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins.
A missing permission check in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins.
The Gitee Plugin in Jenkins version 1288.v18b_deb_c9069b_ and earlier has an incorrect permission check, allowing attackers with global Item/Configure permission to enumerate credential IDs stored in Jenkins.
The Gitee Plugin in Jenkins version 1288.v18b_deb_c9069b_ and earlier contains a CSRF vulnerability that allows attackers to connect to an attacker-specified URL using credentials IDs obtained through another method.
The Gitee Plugin in Jenkins version 1288.v18b_deb_c9069b_ and earlier has missing permission checks, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credential IDs obtained through another method.
A CSRF vulnerability in Jenkins Priority Sorter Plugin 936.v2c01c6b_84449 and earlier allows attackers to overwrite the global job priority configuration.

