CVE-2026-42524: Jenkins HTML Publisher Plugin has a XSS vulnerability in the legacy wrapper file

April 29, 2026 (updated May 6, 2026)

Jenkins HTML Publisher Plugin versoins 427 and earlier do not escape the job name and URL in the legacy wrapper file.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

HTML Publisher Plugin 427.1 escapes job name and URL when generating the legacy wrapper file.

References

github.com/advisories/GHSA-f8h4-46xv-h7jj
github.com/jenkinsci/htmlpublisher-plugin
nvd.nist.gov/vuln/detail/CVE-2026-42524
www.jenkins.io/security/advisory/2026-04-29/

Code Behaviors & Features

Detect and mitigate CVE-2026-42524 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →