CVE-2026-53435
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.
| Vendor | jenkins project |
| Product | jenkins |
| Ecosystems | |
| Industries | Technology |
| Published | Jun 10, 2026 |
| Last Updated | Jun 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for jenkins project jenkins
Be the first to know when new high vulnerabilities affecting jenkins project jenkins are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Jenkins Project / Jenkins
All versions affected