Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the build URL.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or views.
As of publication of this advisory, there is no fix.
{
"github_reviewed_at": "2026-07-01T19:46:29Z",
"nvd_published_at": "2026-05-27T15:16:32Z",
"github_reviewed": true,
"cwe_ids": [
"CWE-79"
],
"severity": "MODERATE"
}