CVE-2026-42524 PUBLISHED

Assigner: jenkins
Reserved: 28.04.2026 Published: 29.04.2026 Updated: 29.04.2026

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Product Status

Vendor	Jenkins Project
Product	Jenkins HTML Publisher Plugin
Versions	Default: unaffected affected from 0 to 427 (incl.)

References

Jenkins Security Advisory 2026-04-29