| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
Known vulnerabilities affecting Jenkins products and systems
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE-2026-53442 | Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkin... | 5.3 | 124 | Neutral | No |
| Yes |
| CVE-2026-53440 | Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attacker... | 4.3 | 142 | Neutral | No | Yes |
| CVE-2026-53439 | Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names o... | 4.3 | 163 | Neutral | No | Yes |
| CVE-2026-53438 | A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have ... | 4.3 | 163 | Neutral | No | Yes |
| CVE-2026-53437 | Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between `//`, al... | 4.3 | 142 | Neutral | No | Yes |
| CVE-2026-53436 | Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (`./` or `../`), al... | 4.3 | 142 | Neutral | No | Yes |
| CVE-2026-53435 | In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.x... | 8.8 | 673 | Neutral | No | Yes |
| CVE-2021-43859 | ### Impact The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service o... | 7.5 | 616 | Neutral | Yes | Yes |
| CVE-2021-43578 | Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input, allowing attackers able to control ... | 8.1 | 476 | Neutral | No | Yes |
| CVE-2021-43577 | Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to control workspace contents to hav... | 7.1 | 434 | Neutral | No | Yes |
| CVE-2021-43576 | Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers with Overall/Read and Item/Read permissions to have Jen... | 6.5 | 338 | Neutral | No | Yes |
| CVE-2021-28165 | ### Impact When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU re... | 7.5 | 487 | Neutral | Yes | Yes |
| CVE-2021-22513 | Micro Focus Application Automation Tools Plugin 6.7 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to conne... | 6.5 | 273 | Neutral | No | Yes |
| CVE-2021-22512 | Micro Focus Application Automation Tools Plugin 6.7 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to conne... | 6.5 | 273 | Neutral | No | Yes |
| CVE-2021-22511 | Micro Focus Application Automation Tools Plugin 6.7 and earlier unconditionally disables SSL/TLS certificate validation for connections to Service Virtualization servers. Micro Focus Application Auto... | 6.5 | 216 | Neutral | No | Yes |
| CVE-2021-22510 | Micro Focus Application Automation Tools Plugin 6.7 and earlier does not escape user input in a form validation response. This results in a reflected cross-site scripting (XSS) vulnerability. Micro ... | 6.1 | 272 | Neutral | No | Yes |
| CVE-2021-21701 | Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to control workspace contents to have Jenkins pa... | 6.5 | 338 | Neutral | No | Yes |
| CVE-2021-21700 | Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion. This results in a stored cross-site scripting (XSS) vulnerability exploit... | 5.4 | 223 | Neutral | No | Yes |
| CVE-2021-21699 | Jenkins Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters. This results in a stored cross-site scripting (XSS) vulnera... | 5.4 | 223 | Neutral | No | Yes |
| CVE-2021-21698 | Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent. This allows attackers able to control agent processes ... | 7.5 | 508 | Neutral | No | Yes |