CVE-2025-67641

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-67641

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67641.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-67641

Aliases

GHSA-v3f3-rf6r-43x5

Published

2025-12-10T17:15:56.630Z

Modified

2026-03-13T03:42:09.431021Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Jenkins Coverage Plugin 2.3054.ve1ff7baa123b and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI, allowing attackers with Item/Configure permission to use a javascript: scheme URL as identifier by configuring the job through the REST API, resulting in a stored cross-site scripting (XSS) vulnerability.

References

https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3611

Affected packages

Git /

Affected ranges

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "2.3054.ve1ff7b_a_a_123b"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67641.json"