Jenkins Github vulnerabilities

CVE-2026-42523 [CRITICAL] CWE-79 CVE-2026-42523: Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScr Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission.

CVE-2026-42519 [MEDIUM] Jenkins Security Advisory 2026-04-29 Title: Jenkins Security Advisory 2026-04-29 Jenkins Security Advisory 2026-04-29 Jenkins Security Home For Administrators Overview Terminology Vulnerabilities and Scoring Security Advisories Security Issues Advisory Schedule Vulnerabilities in Plugins How We Fix Security Issues For Reporters Reporting Vulnerabilities Jenkins CNA For Maintainers Overvi

CVE-2023-46650 [MEDIUM] CWE-79 CVE-2023-46650: Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page wh Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-36885 [MEDIUM] CWE-203 CVE-2022-36885: Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.

CVE-2018-1000600 [HIGH] CWE-200 CVE-2018-1000600: A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2018-1000184 [MEDIUM] CWE-918 CVE-2018-1000184: A server-side request forgery vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitH A server-side request forgery vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubPluginConfig.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.

CVE-2018-1000183 [MEDIUM] CWE-200 CVE-2018-1000183: A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older i A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubServerConfig.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.