Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-42523 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-04-29 |
| Vendor | Jenkins |
| Product | GitHub Plugin |
| CVSS Score | 9.0 (critical) |
| EPSS Score | No data |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature “GitHub hook trigger for GITScm polling”, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission.
Required Actions
Update the Jenkins GitHub Plugin to a release newer than 1.46.0 (use the latest version published on the Jenkins update center). Review the list of users granted Overall/Read and limit access to trusted team members only. After patching, consider forcing administrators to re-authenticate to invalidate any sessions potentially stolen via the exploit.
Who Is Affected?
This vulnerability affects GitHub Plugin by Jenkins. Check whether your organization runs Jenkins with the GitHub plugin and roll out the update - typical for CI/CD teams.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
