CVE-2026-42523: Jenkins GitHub Plugin has an XSS vulnerability

April 29, 2026 (updated May 6, 2026)

In Jenkins GitHub Plugin versions 1.46.0 and earlier, the JavaScript that validates the “GitHub hook trigger for GITScm polling” feature improperly processes the current job URL.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission.

GitHub Plugin 1.46.0.1 no longer processes the current job URL as part of JavaScript implementing validation of the feature “GitHub hook trigger for GITScm polling”.

References

github.com/advisories/GHSA-w22p-4x9f-486v
nvd.nist.gov/vuln/detail/CVE-2026-42523
www.jenkins.io/security/advisory/2026-04-29/

Code Behaviors & Features

Detect and mitigate CVE-2026-42523 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →