Jenkins Security Advisory: Multiple Plugin Vulnerabilities including RCE, XSS, and Deserialization (CVE-2026-42519 to 42525)

Jenkins Security Advisory 2026-04-29 Vulnerability Summary Vulnerability Overview This advisory covers security vulnerabilities in multiple Jenkins plugins, primarily including missing permission checks, path traversal, deserialization vulnerabilities, and cross-site scripting (XSS). 1. Script Security Plugin Missing Permission Check CVE: CVE-2026-42519 Severity: Medium Description: Older versions of the plugin did not perform permission checks on HTTP endpoints, allowing attackers with permission to enumerate pending and approved Classpaths. 2. Credentials Binding Plugin Path Traversal Vulnerability CVE: CVE-2026-42520 Severity: High Description: The plugin does not sanitize file names, enabling attackers to write credentials to arbitrary locations on the node’s filesystem. If Jenkins is configured to allow low-privileged users to configure credentials, this may lead to remote code execution. 3. Matrix Authorization Strategy Plugin Insecure Deserialization CVE: CVE-2026-42521 Severity: Medium Description: The plugin does not restrict instantiable classes when deserializing inheritance policies, allowing attackers with permission to instantiate arbitrary types, potentially leading to information disclosure. 4. GitHub Branch Source Plugin Missing Permission Check CVE: CVE-2026-42522 Severity: Medium Description: The plugin does not perform permission checks in form validation methods, allowing attackers with permission to connect to attacker-specified URLs. 5. GitHub Plugin Cross-Site Scripting (XSS) CVE: CVE-2026-42523 Severity: High Description: The plugin does not properly handle the current job URL when processing the "GitHub hook trigger for GITScm polling" feature, resulting in a stored XSS vulnerability. 6. HTML Publisher Plugin Cross-Site Scripting (XSS) CVE: CVE-2026-42524 Severity: High Description: The plugin fails to escape job names and URLs when generating legacy wrapper files, leading to a stored XSS vulnerability. 7. Microsoft Entra ID (Azure AD) Plugin Open Redirect CVE: CVE-2026-42525 Severity: Medium Description: The plugin does not restrict redirect URLs after login, allowing attackers to exploit this to redirect users to external malicious sites for phishing attacks. --- Affected Versions The following plugin versions are affected by the above vulnerabilities: Credentials Binding Plugin: 719.v80e905ef14eb_ and earlier GitHub Plugin: 1.46.0 and earlier GitHub Branch Source Plugin: 1967.vdea_d580c1a_b_a_ and earlier HTML Publisher Plugin: 427 and earlier Matrix Authorization Strategy Plugin: 2.0-beta-1 through 3.2.9 (inclusive) Microsoft Entra ID (Azure AD) Plugin: 666.v6060de32f87d and earlier Script Security Plugin: 1399.ve6a_6654776e1 and earlier --- Remediation It is recommended to update the affected plugins to the following secure versions: Credentials Binding Plugin: Update to 720.v3f6dedef43ea_ GitHub Plugin: Update to 1.46.0.1 GitHub Branch Source Plugin: Update to 1967.1969.v205fd594c821 HTML Publisher Plugin: Update to 427.1 Matrix Authorization Strategy Plugin: Update to 3.2.10 Microsoft Entra ID (Azure AD) Plugin: Update to 667.v4c5827a_e74a_0 Script Security Plugin: Update to 1402.v94c9ce464861 (Note: For the HTML Publisher Plugin, enforcing Content Security Policy in Jenkins 2.539 and later can also mitigate this XSS vulnerability.)*

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: Multiple Plugin Vulnerabilities including RCE, XSS, and Deserialization (CVE-2026-42519 to 42525)