CVE-2026-53435EPSS p28.4%

CVE-2026-53435CVE-2026-53435

jenkins / jenkins

Description

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.

Scoring

CVSS 8.8 ()
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.37% probability of exploitation · percentile 28.4% · 2026-06-19T12:03:05Z
Last modified2026-06-11

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-53442
CVE
CVE-2026-53441
CVE
CVE-2026-53438
CVE
CVE-2026-53439
CVE
CVE-2025-53652
CVE
CVE-2026-53440
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.