CVE-2026-53435

HIGH EXPLOITED LAB

Jenkins - Deserialization of Untrusted Data

Title source: rule

Exploitation Summary

CVE-2026-53435 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including AmesianX.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-53435, a deserialization vulnerability in Jenkins. The exploit leverages a DescribableList gadget to achieve arbitrary file reads via a crafted config.xml submission, targeting either ListView creation or overwrite vectors.

Description

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.

Exploits (1)

github WORKING POC

by AmesianX · pythonremote

https://github.com/AmesianX/CVE-2026-53435

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-53435, a deserialization vulnerability in Jenkins. The exploit leverages a DescribableList gadget to achieve arbitrary file reads via a crafted config.xml submission, targeting either ListView creation or overwrite vectors.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Jenkins (weekly ≤ 2.567, LTS ≤ 2.555.2)

Auth required

Prerequisites: Overall/Read permission · View/Configure or Item/Configure permission

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Jun 12, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

Jenkins Security Advisory 2026-06-10

https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3707

Scores

CVSS v3 8.8

EPSS 0.0037

EPSS Percentile 28.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull jenkins/jenkins:2.555.2-lts

docker pull jenkins/jenkins:2.555.3-lts

https://github.com/AmesianX/CVE-2026-53435

View in Library

Details

VulnCheck KEV 2026-06-15

CWE

CWE-502

Status published

Products (4)

jenkins/jenkins < 2.555.3

jenkins/jenkins < 2.568

Jenkins Project/Jenkins 2.555.3 - 2.555.*

Jenkins Project/Jenkins 2.568

Published Jun 10, 2026

Tracked Since Jun 10, 2026