GHSA-w22p-4x9f-486v

Suggest an improvement
Source
https://github.com/advisories/GHSA-w22p-4x9f-486v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w22p-4x9f-486v/GHSA-w22p-4x9f-486v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w22p-4x9f-486v
Aliases
  • CVE-2026-42523
Published
2026-04-29T15:30:38Z
Modified
2026-05-06T23:04:53.918419Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Jenkins GitHub Plugin has an XSS vulnerability
Details

In Jenkins GitHub Plugin versions 1.46.0 and earlier, the JavaScript that validates the "GitHub hook trigger for GITScm polling" feature improperly processes the current job URL.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission.

GitHub Plugin 1.46.0.1 no longer processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling".

Database specific 
{
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T22:50:26Z",
    "nvd_published_at": "2026-04-29T14:16:19Z",
    "severity": "CRITICAL"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:git

Package

Name
org.jenkins-ci.plugins:git
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/git

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.46.0.1

Affected versions

1.*
1.2.0
1.3.0
1.4.0
1.5.0
1.6.0-beta-1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w22p-4x9f-486v/GHSA-w22p-4x9f-486v.json"