Jenkins GitHub Plugin stored XSS (CVE-2026-42523)

Patch now - CVE-2026-42523 is a critical stored cross-site scripting (XSS) vulnerability in Jenkins GitHub Plugin 1.46.0 and earlier that lets non-anonymous attackers with Overall/Read permission execute arbitrary JavaScript in the Jenkins interface. Jenkins recommends disabling the “GitHub hook trigger for GITScm polling” feature until a patch is released.

Overview

CVE-2026-42523 affects the Jenkins GitHub Plugin’s handling of the current job URL. The plugin improperly processes this URL as part of JavaScript that validates the “GitHub hook trigger for GITScm polling” feature. An attacker with Overall/Read permission can craft a malicious job URL containing JavaScript code, which gets stored and executed in the browsers of other Jenkins users, including administrators.

This is a stored XSS vulnerability with a CVSS score of 9.0 (Critical). The attack vector is network-based, requires low attack complexity, and only needs low privileges. User interaction is required, meaning the victim must view the affected page while the malicious payload executes.

Impact

An attacker exploiting this vulnerability can perform any action the victim user can perform. If the victim has administrative privileges, the attacker could:

• Create, modify, or delete jobs and nodes
• Execute arbitrary build scripts
• Access and exfiltrate credentials stored in Jenkins
• Install malicious plugins
• Modify or disable security configurations

The attack can also be used to steal session cookies, redirect users to phishing pages, or perform actions on behalf of users without their knowledge.

Affected Versions

• Jenkins GitHub Plugin version 1.46.0 and all earlier versions

Remediation

As of this advisory, no patched version of the plugin has been released. The following mitigations are recommended in order of priority:

1. Disable the “GitHub hook trigger for GITScm polling” feature in all Jenkins jobs until a patched plugin version is available. This removes the vulnerable code path.

2. Restrict Overall/Read permission to only trusted users. Review your Jenkins authorization configuration and limit who can view job configurations.

3. Monitor Jenkins logs for unusual job URL modifications or unexpected JavaScript execution patterns.

4. Apply vendor patches immediately when Jenkins releases a fixed version of the GitHub Plugin.

Security Insight

This vulnerability highlights a recurring pattern in CI/CD tool security: plugins that dynamically construct and execute JavaScript based on user-controlled input remain a blind spot for many development teams. The Jenkins plugin ecosystem, with its thousands of community-contributed plugins, has historically struggled with input validation, and this incident parallels the 2022 Jenkins XSS series that similarly targeted job configuration fields. Organizations running Jenkins should treat all plugins with UI-rendering capabilities as high-risk and enforce strict privilege separation between users who can view configurations and those who can modify them. This vulnerability also reinforces the need for content security policies (CSP) in Jenkins installations, a defense that could limit exploitability even when input validation fails.

Further Reading

• GlassWorm Attack Uses Stolen GitHub Tokens to
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs