Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21148
Total
1520
Critical
6441
High
6722
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-57301 | HIGH | 8.8 | Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to … | Jun 24, 2026 |
| CVE-2026-57300 | MEDIUM | 4.3 | A missing permission check in Jenkins MCP Server Plugin 0.177.v629fdb_2557fe and earlier allows attackers with Item/Read permission to read the Pipeline replay scripts of jobs … | Jun 24, 2026 |
| CVE-2026-57299 | UNKNOWN | — | Missing permission checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow attackers with Overall/Read permission to enumerate the names of configured Contrast … | Jun 24, 2026 |
| CVE-2026-57298 | MEDIUM | 5.4 | A cross-site request forgery (CSRF) vulnerability in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers to have Jenkins connect to an attacker-specified … | Jun 24, 2026 |
| CVE-2026-57297 | UNKNOWN | — | A missing permission check in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL … | Jun 24, 2026 |
| CVE-2026-57296 | HIGH | 8.8 | Jenkins External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided to the exwsAllocate Pipeline step, … | Jun 24, 2026 |
| CVE-2026-57295 | MEDIUM | 5.4 | A cross-site request forgery (CSRF) vulnerability in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials … | Jun 24, 2026 |
| CVE-2026-57294 | MEDIUM | 5.4 | A missing permission check in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified … | Jun 24, 2026 |
| CVE-2026-57293 | MEDIUM | 4.3 | An incorrect permission check in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) … | Jun 24, 2026 |
| CVE-2026-57292 | MEDIUM | 5.4 | A cross-site request forgery (CSRF) vulnerability in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs … | Jun 24, 2026 |
| CVE-2026-57291 | MEDIUM | 5.4 | Missing permission checks in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs … | Jun 24, 2026 |
| CVE-2026-57290 | MEDIUM | 4.3 | A cross-site request forgery (CSRF) vulnerability in Jenkins Priority Sorter Plugin 936.v2c01c6b_84449 and earlier allows attackers to overwrite the global job priority configuration. | Jun 24, 2026 |
| CVE-2026-57289 | MEDIUM | 4.8 | Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to … | Jun 24, 2026 |
| CVE-2026-57288 | LOW | 3.7 | Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native (ADSI) authentication … | Jun 24, 2026 |
| CVE-2026-57287 | MEDIUM | 4.3 | Jenkins Job Configuration History Plugin 1356.ve360da_6c523a_ and earlier does not redact the encrypted values of secrets when displaying historical job and agent configurations, allowing attackers … | Jun 24, 2026 |
| CVE-2026-57286 | MEDIUM | 4.3 | A missing permission check in Jenkins Git Parameter Plugin 462.vdcf3df2ed2ca_ and earlier allows attackers with Item/Read permission to obtain information about the SCM repository used … | Jun 24, 2026 |
| CVE-2026-57285 | MEDIUM | 4.3 | A missing permission check in Jenkins GitHub Branch Source Plugin 1967.1969.v205fd594c821 and earlier allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise … | Jun 24, 2026 |
| CVE-2026-57284 | MEDIUM | 4.3 | Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate … | Jun 24, 2026 |
| CVE-2026-57283 | MEDIUM | 4.3 | A cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier allows attackers to instantiate types related to job or system configuration … | Jun 24, 2026 |
| CVE-2026-57282 | MEDIUM | 5.0 | Jenkins Git client Plugin 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into a generated SSH wrapper script, … | Jun 24, 2026 |
| CVE-2026-57281 | HIGH | 7.5 | Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy … | Jun 24, 2026 |
| CVE-2026-57280 | HIGH | 8.8 | Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loops in sandboxed Groovy … | Jun 24, 2026 |
| CVE-2026-42450 | UNKNOWN | — | OpenColorIO is a color management framework for visual effects and animation. Prior to version 2.5.2, `FileFormatSpi3D.cpp:163` uses `sscanf` with `%s` into 64-byte stack buffers when … | Jun 24, 2026 |
| CVE-2026-35025 | HIGH | 8.1 | ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with … | Jun 24, 2026 |
| CVE-2026-29034 | UNKNOWN | — | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | Jun 24, 2026 |