CVE-2026-42524

High

Published: 29 April 2026

Published

29 April 2026

Modified

05 May 2026

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0004 13.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42524 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Jenkins Html Publisher. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

Requires filtering of untrusted outputs such as job names and URLs in generated HTML wrapper files to prevent stored XSS execution.

SI-2 Flaw Remediation good match

prevent

Directly remediates the flaw in Jenkins HTML Publisher Plugin versions 427 and earlier by identifying, reporting, and applying patches as advised in the security advisory.

SI-10 Information Input Validation partial match

prevent

Validates job names and URLs as inputs to block malicious payloads before they are processed into the legacy wrapper file.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

Why these techniques?

Stored XSS in Jenkins HTML Publisher Plugin enables injection of malicious JavaScript into published content, directly facilitating drive-by compromise (T1189) when users view the page and JavaScript execution (T1059.007) in the browser context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Deeper analysisAI

CVE-2026-42524 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the Jenkins HTML Publisher Plugin in versions 427 and earlier. The flaw arises because the plugin does not properly escape job names and URLs when generating the legacy wrapper file, enabling attackers to inject malicious scripts that persist in the published HTML content.

Attackers with Item/Configure permission on a Jenkins job can exploit this vulnerability over the network with low complexity by configuring a job with a maliciously crafted name or URL. When users with access to the job view the resulting HTML publication in their browser, the unescaped content triggers XSS execution in the victim's session. The CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) reflects high confidentiality, integrity, and availability impacts, though it requires user interaction and low privileges.

The official Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3706 provides guidance on mitigation and patching for this issue, published on 2026-04-29.