Description
Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Published: 2026-04-29
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Jenkins HTML Publisher Plugin versions 427 and earlier do not escape the job name and job URL in the legacy wrapper file, enabling a stored cross‑site scripting flaw. When an attacker with Item/Configure permission injects malicious script into a job, the script is persisted and later rendered to any user who views the job’s HTML report. This can lead to theft of session cookies, credential exfiltration, or arbitrary client‑side action.

Affected Systems

The vulnerability affects Jenkins Project’s HTML Publisher Plugin up to and including version 427. No newer versions are listed as vulnerable.

Risk and Exploitability

This flaw is a high‑severity stored XSS, and although no EPSS score or KEV listing is available, the required attacker privilege (Item/Configure) is common in many build configurations. The CVSS score of 8 indicates high severity, reinforcing the risk posed to installations that still run the affected plugin, while the practical impact and ease of exploitation imply a significant threat to any installation that still runs the affected plugin.

Generated by OpenCVE AI on April 29, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the HTML Publisher Plugin to version 428 or later.
  • After upgrading, restrict or revoke Item/Configure permissions for untrusted users or roles to limit the ability to inject malicious scripts.
  • If an upgrade must be delayed, immediately disable the legacy wrapper or uninstall the HTML Publisher Plugin to eliminate the XSS vector until a patch is applied.

Generated by OpenCVE AI on April 29, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Html Publisher Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Html Publisher Plugin

Wed, 29 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting in Jenkins HTML Publisher Plugin

Wed, 29 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
References

Subscriptions

Jenkins Project Jenkins Html Publisher Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-04-29T14:29:40.872Z

Reserved: 2026-04-28T09:24:35.049Z

Link: CVE-2026-42524

cve-icon Vulnrichment

Updated: 2026-04-29T14:27:46.212Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-29T14:16:19.457

Modified: 2026-04-30T15:11:12.703

Link: CVE-2026-42524

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:21:18Z

Weaknesses