Jenkins published a security advisory covering multiple vulnerabilities in widely used plugins, with fixes released for affected versions. The disclosed issues span missing permission checks, unsafe deserialization, stored cross-site scripting, and an open redirect, affecting plugins including Script Security, Credentials Binding, Matrix Authorization Strategy, GitHub Branch Source, GitHub, HTML Publisher, and Microsoft Entra ID.
The most serious issue is an arbitrary file write flaw that can lead to remote code execution, while other bugs could let attackers abuse low-privilege access such as Overall/Read, Item/Configure, or the ability to supply credentials to a job. Jenkins said the advisory includes severity ratings, attribution, and patched plugin versions, and urged administrators to update impacted plugins to the fixed releases.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
Jenkins published its 2026-04-29 security advisory disclosing multiple vulnerabilities in several plugins, including missing permission checks, arbitrary file write leading to possible remote code execution, unsafe deserialization, stored cross-site scripting, and an open redirect. Fixed versions were released for affected plugins including Script Security, Credentials Binding, Matrix Authorization Strategy, GitHub Branch Source, GitHub, HTML Publisher, and Microsoft Entra ID.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcecyber.gc.ca
Open sourcejenkins.io
Open sourceseclists.org
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.