CVE-2026-42524 — Jenkins HTML Publisher Plugin has a XSS vulnerability in the legacy wrapper file

Description

Jenkins HTML Publisher Plugin versoins 427 and earlier do not escape the job name and URL in the legacy wrapper file. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. HTML Publisher Plugin 427.1 escapes job name and URL when generating the legacy wrapper file.

How to fix CVE-2026-42524

To remediate CVE-2026-42524, upgrade the affected package to a fixed version below.

—upgrade to 427.1 or later

Is CVE-2026-42524 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 427.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-42524
PATCHgithub.com/jenkinsci/htmlpublisher-plugin
WEBwww.jenkins.io/security/advisory/2026-04-29/#SECURITY-3706