Detections
Analytics

Jenkins plugins Multiple Vulnerabilities (2026-05-27)

high Nessus Plugin ID 317047

Language:

Synopsis

An application running on a remote web server host is affected by multiple vulnerabilities

Description

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities:

 - Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the build URL, resulting in a stored cross- site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or views.
 (CVE-2026-48927)

 - Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute, without restrictions on the image URLs that can be inlined, allowing attackers able to control the email content to specify `file:` URLs for images to read arbitrary files from the Jenkins controller filesystem. (CVE-2026-48920)

 - Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals. (CVE-2026-48916)

 - Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation. (CVE-2026-48917)

 - Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals by default. (CVE-2026-48918)

 - Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation.
 (CVE-2026-48919)

 - Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem. (CVE-2026-48921)

 - Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node. (CVE-2026-48922)

 - Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL.
 (CVE-2026-48923)

 - Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks. (CVE-2026-48924)

 - A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows attackers to attackers to trigger a build for a pull request. (CVE-2026-48925)

 - A cross-site request forgery (CSRF) vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6b_b_d and earlier allows attackers to resume failed Multijob builds. (CVE-2026-9674)

 - Jenkins Job Import Plugin 143.v044a_2e819b_27 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. (CVE-2026-48926)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update Jenkins plugins to the following versions:
 - Active Directory Plugin to version 2.41.1 or later
 - AppSpider Plugin to version 1.0.18 or later
 - Bitbucket OAuth Plugin to version 0.18 or later
 - buildgraph-view Plugin: See vendor advisory
 - Credentials Binding Plugin to version 725.ve52b_2328a_fde or later
 - Email Extension Plugin to version 1933.1935.v276319e3cc47 or later
 - GitHub Integration Plugin to version 0.7.4 or later
 - Job Import Plugin to version 143.145.v48f9a_a_6ff384 or later
 - LDAP Plugin to version 807.809.vd3a_4e5e4ec98 or later
 - Multijob Plugin to version 669.v9d96a_d9c71b_0 or later
 - Pipeline: Groovy Libraries Plugin to version 798.v5cc688825312 or later

See vendor advisory for more details.

See Also

https://jenkins.io/security/advisory/2026-05-27

Plugin Details

Severity: High

ID: 317047

File Name: jenkins_security_advisory_2026-05-27_plugins.nasl

Version: 1.1

Type: Combined

Agent: windows, macosx, unix

Family: CGI abuses

Published: 5/27/2026

Updated: 5/27/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-48927

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2026-48920

Vulnerability Information

CPE: cpe:/a:jenkins:jenkins, cpe:/a:cloudbees:jenkins

Required KB Items: installed_sw/Jenkins

Exploit Ease: No known exploits are available

Patch Publication Date: 5/27/2026

Vulnerability Publication Date: 5/27/2026

Reference Information

CVE: CVE-2026-48916, CVE-2026-48917, CVE-2026-48918, CVE-2026-48919, CVE-2026-48920, CVE-2026-48921, CVE-2026-48922, CVE-2026-48923, CVE-2026-48924, CVE-2026-48925, CVE-2026-48926, CVE-2026-48927, CVE-2026-9674