Jenkins GitHub Plugin has an XSS vulnerability

GHSA-w22p-4x9f-486v · CVE-2026-42523

Published Apr 29, 2026 · Modified May 6, 2026

Description

In Jenkins GitHub Plugin versions 1.46.0 and earlier, the JavaScript that validates the "GitHub hook trigger for GITScm polling" feature improperly processes the current job URL.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission.

GitHub Plugin 1.46.0.1 no longer processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling".

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-42523
WEB https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3704

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes