CVE-2025-53658 — Jenkins Applitools Eyes Plugin vulnerable to XSS through its Build page

Description

Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. Applitools Eyes Plugin 1.16.6 rejects Applitools URLs that contain HTML metacharacters.

How to fix CVE-2025-53658

To remediate CVE-2025-53658, upgrade the affected package to a fixed version below.

—upgrade to 1.16.6 or later

Is CVE-2025-53658 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.16.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-53658
WEBgithub.com/jenkinsci/applitools-eyes-plugin
WEBwww.jenkins.io/security/advisory/2025-07-09/#SECURITY-3509
WEBwww.openwall.com/lists/oss-security/2025/07/09/4