Jenkins HTML Publisher Plugin
Moderate fix2 remedies
cpe:2.3:a:jenkins:html_publisher:*:*:*:*:jenkins:*:*
Moderate fix2 remedies
- <= 427
Jenkins HTML Publisher Plugin Stored Cross-Site Scripting Vulnerability
Vulnerability
Patched
A stored cross-site scripting vulnerability has been identified in the Jenkins HTML Publisher Plugin, specifically in versions through 427. The issue arises because the plugin fails to properly escape job names and URLs in the legacy wrapper file. This vulnerability can be exploited by attackers who have Item/Configure permission.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where the injected script is executed in the context of the user.
Remediation
Users of the HTML Publisher Plugin should update to version 427.1, which addresses the vulnerability by properly escaping job names and URLs in the legacy wrapper file. However, it's important to note that this fix only applies to newly generated wrappers. For Jenkins versions 2.539 and newer, and LTS 2.541.1 and newer, enforcing Content Security Policy protection mitigates this vulnerability.
Added: Apr 29, 2026, 2:22 PM
Updated: Apr 29, 2026, 2:22 PM
Vulnerability Rating
Custom Algorithm
spread
6.2impact
1.7exploitability
5.0remediation
7.7relevance
7.0threat
0.0urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.