CVE-2026-42523: Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook…

critical9CVSS 3.1

AVNACLPRLUIRSCCHIHAH

Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission.

Affected

14 ranges

Vendor	Product	Version range	Fixed in
jenkins	credentials_binding	—	—
jenkins	credentials_binding_plugin	—	—
jenkins	github	< 1.46.0.1	1.46.0.1
jenkins	github	—	—
jenkins	github_branch_source	—	—
jenkins	github_branch_source_plugin	—	—
jenkins	github_plugin	—	—
jenkins	html_publisher	—	—
jenkins	html_publisher_plugin	—	—
jenkins	matrix_authorization_strategy	—	—
jenkins	matrix_authorization_strategy_plugin	—	—
jenkins	script_security	—	—
jenkins	script_security_plugin	—	—
jenkins_project	jenkins_github_plugin	<= 1.46.0	—