CVE-2025-53658: Jenkins Applitools Eyes Plugin vulnerable to XSS through its Build page

July 9, 2025 (updated November 5, 2025)

Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Applitools Eyes Plugin 1.16.6 rejects Applitools URLs that contain HTML metacharacters.

References

github.com/advisories/GHSA-j4wf-9gx8-63f8
github.com/jenkinsci/applitools-eyes-plugin
nvd.nist.gov/vuln/detail/CVE-2025-53658
www.jenkins.io/security/advisory/2025-07-09/

Code Behaviors & Features

Detect and mitigate CVE-2025-53658 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →