CVE-2018-8718

HIGH

Mailer Plugin 1.20 for Jenkins 2.111 - CSRF

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-8718. PoCs published by Kl3_GMjq6, GeunSam2.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in Jenkins mailer plugin versions below 1.20. It crafts a malicious email with a link that, when clicked by an admin, triggers a test email send action with attacker-controlled SMTP credentials.

Description

Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a /descriptorByName/hudson.tasks.Mailer/sendTestMail request.

Exploits (2)

exploitdb WORKING POC
by Kl3_GMjq6 · pythonwebappslinux
https://www.exploit-db.com/exploits/44843

This exploit demonstrates a CSRF vulnerability in Jenkins mailer plugin versions below 1.20. It crafts a malicious email with a link that, when clicked by an admin, triggers a test email send action with attacker-controlled SMTP credentials.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Jenkins mailer plugin < 1.20
No auth needed
Prerequisites: Valid SMTP credentials for sending the malicious email · Admin user must click the crafted link
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by GeunSam2 · poc
https://github.com/GeunSam2/CVE-2018-8718

This PoC exploits a CSRF vulnerability in Jenkins mailer plugin (CVE-2018-8718) by crafting a malicious email with a link that triggers unauthorized actions when clicked by an admin. The script automates the creation and sending of such emails via SMTP.

Classification
Working Poc 95%
Attack Type
Csrf
Complexity
Moderate
Reliability
Reliable
Target: Jenkins mailer plugin versions below 1.20
No auth needed
Prerequisites: SMTP server credentials · Admin email address · Target Jenkins server URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Vendor Advisory x_refsource_confirm
https://jenkins.io/security/advisory/2018-03-26/
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2018/03/26/3
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44843/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/103691

Scores

CVSS v3 8.0
EPSS 0.0074
EPSS Percentile 73.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (2)
jenkins/mailer < 1.20
org.jenkins-ci.plugins/mailer 0 - 1.21Maven
Published Mar 27, 2018
Tracked Since Feb 18, 2026