Security context
What an agent needs to avoid regressing past fixes — and find the next bug in this project.
Jenkins
jenkinsci/jenkins The leading open-source automation server.
Maven · org.jenkins-ci.main:jenkins-core
252
Advisories
252
CVEs
Critical
Peak severity
219
With fix diff
Distribution
By severity
Critical
19
High
61
Medium
152
Low
20
By weakness class
Other
58
Cross-site Scripting
51
Auth / Access Control
37
Information Disclosure
32
Path Traversal
19
CSRF
17
Improper Validation
16
Deserialization
8
Denial of Service
3
Open Redirect
2
Every fixed vulnerability (252)
Critical16 fixed
CriticalArbitrary file read vulnerability through the Jenkins CLI can lead to RCECVE-2024-238972y agoCriticalMultiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in JenkinsCVE-2021-216864y agoCriticalMultiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in JenkinsCVE-2021-216914y agoCriticalMultiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in JenkinsCVE-2021-216874y agoCriticalMultiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in JenkinsCVE-2021-216854y agoCriticalMultiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in JenkinsCVE-2021-216924y agoCriticalMultiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in JenkinsCVE-2021-216934y agoCriticalMultiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in JenkinsCVE-2021-216904y agoCriticalMultiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in JenkinsCVE-2021-216894y agoCriticalMultiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in JenkinsCVE-2021-216884y agoCriticalMultiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in JenkinsCVE-2021-216944y agoCriticalAgent-to-controller access control allows reading/writing most content of build directories in JenkinsCVE-2021-216974y agoCriticalMultiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in JenkinsCVE-2021-216954y agoCriticalExposure of Sensitive Information to an Unauthorized Actor in JenkinsCVE-2017-10003624y agoCriticalJenkins allows Execution of Code by Opening a JRMP ListenerCVE-2016-07884y agoCriticalExposure of Sensitive Information in Jenkins CoreCVE-2016-07914y ago
High38 fixed
HighJenkins: Stored XSS vulnerability in node offline cause description CVE-2026-534411mo agoHighJenkins has a DNS rebinding vulnerability in WebSocket CLI origin validationCVE-2026-330024mo agoHighJenkins has a link following vulnerability allows arbitrary file creationCVE-2026-330014mo agoHighJenkins has a stored XSS vulnerability in node offline cause descriptionCVE-2026-270994mo agoHighJenkins has a Denial of service vulnerability in HTTP-based CLICVE-2025-676357mo agoHighJenkins Remoting library arbitrary file read vulnerabilityCVE-2024-430441y agoHighCross-site WebSocket hijacking vulnerability in the Jenkins CLICVE-2024-238982y agoHighJenkins temporary plugin file created with insecure permissions CVE-2023-434962y agoHighJenkins Cross-site Scripting vulnerabilityCVE-2023-434952y agoHighJenkins Stored Cross-site Scripting vulnerability CVE-2023-391512y agoHighJenkins CSRF protection bypass vulnerabilityCVE-2023-351413y agoHighDenial of service in Jenkins CoreCVE-2023-279013y agoHighIncorrect Authorization in Jenkins CoreCVE-2023-278993y agoHighCross-site Scripting vulnerability in JenkinsCVE-2023-278983y agoHighJenkins vulnerable to stored cross site scripting in the I:helpIcon componentCVE-2022-412243y agoHighCross-site Scripting vulnerability in JenkinsCVE-2022-341704y agoHighCross-site Scripting vulnerability in JenkinsCVE-2022-341734y agoHighCross-site Scripting vulnerability in JenkinsCVE-2022-341714y agoHighCross-site Scripting vulnerability in JenkinsCVE-2022-341724y agoHighUnauthorized view fragment access in JenkinsCVE-2022-341754y agoHighAgent-to-controller access control allowed writing to sensitive directory used by Jenkins Pipeline: Shared Groovy Libraries PluginCVE-2021-216964y agoHighSession fixation vulnerability in JenkinsCVE-2021-216714y agoHighPath traversal vulnerability in Jenkins agent namesCVE-2021-216054y agoHighImproper handling of REST API XML deserialization errors in JenkinsCVE-2021-216044y agoHighJenkins Cross-site Scripting vulnerability in project naming strategyCVE-2020-22304y agoHighJenkins Cross-Site Scripting vulnerability in help iconsCVE-2020-22294y agoHighStored XSS vulnerability in Jenkins 'keep forever' badge iconCVE-2020-22224y agoHighStored XSS vulnerability in Jenkins upstream causeCVE-2020-22214y agoHighStored XSS vulnerability in Jenkins console linksCVE-2020-22234y agoHighStored XSS vulnerability in Jenkins job build time trendCVE-2020-22204y agoHighCross-Site Request Forgery in JenkinsCVE-2020-21604y agoHighInbound TCP Agent Protocol/3 authentication bypass in JenkinsCVE-2020-20994y agoHighXML external entity (XXE) vulnerability in JenkinsCVE-2015-18114y agoHighXML external entity (XXE) vulnerability in JenkinsCVE-2015-18094y agoHighCross-Site Request Forgery in JenkinsCVE-2019-103844y agoHighCross-Site Request Forgery in JenkinsCVE-2019-103534y agoHighJenkins allows Deserialization of Untrusted Data via an XML FileCVE-2016-07924y agoHighJenkins affected by Open Redirect VulnerabilityCVE-2016-37264y ago
Medium85 fixed
MediumJenkins has a build information disclosure vulnerability through Run Parameter CVE-2026-271004mo agoMediumJenkins's build authorization token is stored and displayed in plain textCVE-2025-676377mo agoMediumJenkins's build authorization token is stored and displayed in plain textCVE-2025-676387mo agoMediumJenkins is missing a permission check on password fieldsCVE-2025-676367mo agoMediumJenkins is missing a permission check in the authenticated users' profile menu CVE-2025-5947510mo agoMediumJenkins has a missing permission check, allowing users to obtain agent namesCVE-2025-5947410mo agoMediumJenkins has a log message injection vulnerabilityCVE-2025-5947610mo agoMediumJenkins Missing Permission CheckCVE-2025-317201y agoMediumJenkins Missing Permission CheckCVE-2025-317211y agoMediumJenkins cross-site request forgery (CSRF) vulnerabilityCVE-2025-276241y agoMediumJenkins Open Redirect vulnerability CVE-2025-276251y agoMediumJenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permissionCVE-2025-276221y agoMediumJenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permissionCVE-2025-276231y agoMediumJenkins item creation restriction bypass vulnerabilityCVE-2024-478041y agoMediumJenkins exposes multi-line secrets through error messagesCVE-2024-478031y agoMediumJenkins does not perform a permission check in an HTTP endpointCVE-2024-430451y agoMediumJenkins does not exclude sensitive build variables from searchCVE-2023-434942y agoMediumIncorrect Permission Preservation in Jenkins CoreCVE-2023-279023y agoMediumDenial of service in Jenkins CoreCVE-2023-279003y agoMediumObservable timing discrepancy allows determining username validity in JenkinsCVE-2022-341744y agoMediumImproper Neutralization of Input During Web Page Generation in JenkinsCVE-2019-104064y agoMediumExposure of Sensitive Information to an Unauthorized Actor in JenkinsCVE-2019-104054y agoMediumImproper Neutralization of Input During Web Page Generation in JenkinsCVE-2019-104034y agoMediumImproper Neutralization of Input During Web Page Generation in JenkinsCVE-2019-104044y agoMediumImproper Neutralization of Input During Web Page Generation in JenkinsCVE-2019-104014y agoMediumImproper Neutralization of Input During Web Page Generation in JenkinsCVE-2019-104024y agoMediumPath traversal vulnerability on Windows in JenkinsCVE-2021-216834y agoMediumImproper handling of equivalent directory names on Windows in JenkinsCVE-2021-216824y agoMediumImproper permission checks allow canceling queue items and aborting builds in JenkinsCVE-2021-216704y agoMediumLack of type validation in agent related REST API in JenkinsCVE-2021-216394y agoMediumView name validation bypass in JenkinsCVE-2021-216404y agoMediumTime-of-check Time-of-use (TOCTOU) Race Condition in JenkinsCVE-2021-216154y agoMediumReflected XSS vulnerability in Jenkins markup formatter previewCVE-2021-216104y agoMediumExcessive memory allocation in graph URLs leads to denial of service in JenkinsCVE-2021-216074y agoMediumStored XSS vulnerability in Jenkins on new item pageCVE-2021-216114y agoMediumMissing permission check for paths with specific prefix in JenkinsCVE-2021-216094y agoMediumXSS vulnerability in Jenkins notification barCVE-2021-216034y agoMediumArbitrary file existence check in file fingerprints in JenkinsCVE-2021-216064y agoMediumArbitrary file read vulnerability in workspace browsers in JenkinsCVE-2021-216024y agoMediumStored XSS vulnerability in Jenkins button labelsCVE-2021-216084y agoMediumImproper Neutralization of Input During Web Page Generation in JenkinsCVE-2020-22314y agoMediumImproper Neutralization of Input During Web Page Generation in JenkinsCVE-2020-21634y agoMediumImproper Neutralization of Input During Web Page Generation in JenkinsCVE-2020-21624y agoMediumImproper Neutralization of Input During Web Page Generation in JenkinsCVE-2020-21614y agoMediumJenkins Diagnostic page exposed session cookiesCVE-2020-21034y agoMediumNon-constant time HMAC comparisonCVE-2020-21024y agoMediumJenkins vulnerable to UDP amplification reflection attackCVE-2020-21004y agoMediumMemory usage graphs accessible to anyone with Overall/ReadCVE-2020-21044y agoMediumNon-constant time comparison of inbound TCP agent connection secretCVE-2020-21014y agoMediumImproper Neutralization of Input During Web Page Generation in JenkinsCVE-2019-103834y agoMediumMissing Authorization in JenkinsCVE-2019-103544y agoMediumImproper Limitation of a Pathname to a Restricted Directory in JenkinsCVE-2019-103524y agoMediumJenkins allows attackers to execute arbitrary jobsCVE-2014-20584y agoMediumJenkins allows Remote Attackers to Hijack SessionsCVE-2014-20604y agoMediumJenkins allows attackers to configure restricted projectsCVE-2013-73304y agoMediumJenkin allows attackers to obtain passwords by reading the HTML source codeCVE-2014-20614y agoMediumJenkins does not invalidate the API token when a user is deletedCVE-2014-20624y agoMediumJenkins Vulnerable to ClickjackingCVE-2014-20634y agoMediumJenkins allows attackers to determine whether a user existsCVE-2014-20644y agoMediumJenkins session fixation vulnerabilityCVE-2014-20664y agoMediumJenkins cross-site scripting (XSS) vulnerabilityCVE-2014-20654y agoMediumJenkins Denial of Service vulnerabilityCVE-2014-36614y agoMediumImproper Neutralization of Input During Web Page Generation in JenkinsCVE-2015-75364y agoMediumJenkins allows remote authenticated users to bypass intended restrictions and create or destroy arbitrary jobsCVE-2014-36634y agoMediumJenkins improperly ensures trust separationCVE-2014-36654y agoMediumJenkins Exposure of Sensitive Information to an Unauthorized Actor vulnerabilityCVE-2014-36624y agoMediumJenkins allows for Code Execution via Crafted Packet to the CLICVE-2014-36664y agoMediumJenkins does not Restrict Reserved Names Allowing for Privilege Escalation CVE-2015-18104y agoMediumJenkins allows Remote Users to Obtain Sensitive Information from a Plugin CodeCVE-2014-36674y agoMediumJenkins allows for Privilege Escalation by Remote Authenticated UsersCVE-2015-18064y agoMediumJenkins Exposure of Sensitive Information to an Unauthorized Actor vulnerabilityCVE-2014-36804y agoMediumJenkins allows for Privilege Escalation by Remote Authenticated UsersCVE-2015-18144y agoMediumJenkins Cross-site Scripting vulnerabilityCVE-2015-18124y agoMediumJenkins Cross-Site Request Forgery vulnerabilitiesCVE-2013-20344y agoMediumJenkins directory traversal vulnerabilityCVE-2014-20594y agoMediumJenkins cross-site scripting (XSS) vulnerabilityCVE-2014-20674y agoMediumJenkins Path Traversal vulnerabilityCVE-2014-36644y agoMediumJenkins HttpOnly flag not Set for session cookiesCVE-2014-96354y agoMediumJenkins secure flag not set on session cookiesCVE-2014-96344y agoMediumCross-site Scripting in Jenkins CoreCVE-2017-173834y agoMediumJenkins has CRLF Injection Vulnerability in the CLICVE-2016-07894y agoMediumExposure of Sensitive Information in Jenkins CoreCVE-2016-07904y agoMediumJenkins allows Remote Users to Inject Build ParametersCVE-2016-37214y agoMediumExposure of Sensitive Information in Jenkins CoreCVE-2016-37234y agoMediumIncorrect Authorization in Jenkins CoreCVE-2016-37224y ago
Low11 fixed
LowJenkins has a CSRF vulnerability on the login formCVE-2025-676397mo agoLowJenkins temporary uploaded file created with insecure permissionsCVE-2023-434982y agoLowJenkins temporary uploaded file created with insecure permissionsCVE-2023-434972y agoLowIncorrect Authorization in Jenkins CoreCVE-2023-279033y agoLow Information disclosure through error stack traces related to agents CVE-2023-279043y agoLowJenkins REST APIs vulnerable to clickjackingCVE-2020-21054y agoLowJenkins allows Cross-Site Scripting (XSS)CVE-2011-43444y agoLowJenkins allows attackers to obtain sensitive informationCVE-2014-20684y agoLowJenkins allows Cross-Site Scripting (XSS)CVE-2015-18134y agoLowJenkins Vulnerable to Denial of Service (DoS)CVE-2015-18084y agoLowJenkins allows Cross-Site Scripting (XSS) in User ConfigurationCVE-2013-55734y ago
Showing the 150 most recent of 252.