ThreatCluster

Critical Vulnerabilities Discovered in Jenkins Plugins

First seen 28 May 2026, 21:15 UTC Nvd.Nistcve.org 84% similarity 72

Article Content

Browse articles
ThreatCluster

Two significant vulnerabilities have been identified in Jenkins plugins, CVE-2026-48922 and CVE-2026-48925. The Jenkins Credentials Binding Plugin allows attackers to write files to arbitrary locations, potentially leading to remote code execution. This affects versions 720.v3f6decef43ea_ and earlier. The second vulnerability, CVE-2026-48925, is a cross-site request forgery (CSRF) flaw in the Jenkins GitHub Integration Plugin, enabling attackers to trigger builds for pull requests. Both vulnerabilities were published on May 27, 2026, and pose serious risks to Jenkins users. Immediate action is recommended to mitigate these threats.

Key Points: • CVE-2026-48922 allows remote code execution via the Credentials Binding Plugin. • CVE-2026-48925 enables CSRF attacks in the GitHub Integration Plugin. • Both vulnerabilities were published on May 27, 2026, and require urgent attention.

ThreatCluster AI

Timeline

2026-05-27
CVE-2026-48922 published
A vulnerability in the Jenkins Credentials Binding Plugin allows arbitrary file writing, risking remote code execution.
Nvd.Nist
2026-05-27
CVE-2026-48925 published
A CSRF vulnerability in the Jenkins GitHub Integration Plugin allows unauthorized build triggers for pull requests.
Nvd.Nist
2026-05-28
Security advisory issued
Jenkins users are advised to update their plugins immediately to mitigate the identified vulnerabilities.
Nvd.Nist

Community

Browse all →