Security Vulnerabilities
Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation.
CVSS Score
6.6
EPSS Score
0.013
Published
2026-05-27
Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals by default.
CVSS Score
6.6
EPSS Score
0.003
Published
2026-05-27
Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation.
CVSS Score
6.6
EPSS Score
0.013
Published
2026-05-27
Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute, without restrictions on the image URLs that can be inlined, allowing attackers able to control the email content to specify `file:` URLs for images to read arbitrary files from the Jenkins controller filesystem.
CVSS Score
8.8
EPSS Score
0.004
Published
2026-05-27
Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.
CVSS Score
7.5
EPSS Score
0.004
Published
2026-05-27
Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.
CVSS Score
7.5
EPSS Score
0.018
Published
2026-05-27
Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL.
CVSS Score
4.3
EPSS Score
0.0
Published
2026-05-27
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.
CVSS Score
2.3
EPSS Score
0.0
Published
2026-05-27
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. These validations were introduced in upstream Git years ago, so the vulnerability arose from go-git drifting from those checks. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-05-27
RabbitMQ is a messaging and streaming broker. From 3.7.0 to before 4.1.2 and 4.0.13, This vulnerability is fixed in 4.1.2 and 4.0.13.
CVSS Score
5.6
EPSS Score
0.0
Published
2026-05-27