CVE-2026-42523 — Jenkins GitHub Plugin has an XSS vulnerability

Description

In Jenkins GitHub Plugin versions 1.46.0 and earlier, the JavaScript that validates the "GitHub hook trigger for GITScm polling" feature improperly processes the current job URL. This results in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission. GitHub Plugin 1.46.0.1 no longer processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling".

How to fix CVE-2026-42523

To remediate CVE-2026-42523, upgrade the affected package to a fixed version below.

—upgrade to 1.46.0.1 or later

Is CVE-2026-42523 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.46.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

References (2)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-42523
WEBwww.jenkins.io/security/advisory/2026-04-29/#SECURITY-3704