CVE-2026-53440

MEDIUM

Jenkins - URL Redirection to Untrusted Site ('Open Redirect')

Title source: rule
STIX 2.1

Description

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled domain.

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
Jenkins Security Advisory 2026-06-10
https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3721

Scores

CVSS v3 4.3
EPSS 0.0024
EPSS Percentile 14.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-601
Status published
Products (4)
jenkins/jenkins < 2.555.3
jenkins/jenkins < 2.568
Jenkins Project/Jenkins 2.555.3 - 2.555.*
Jenkins Project/Jenkins 2.568
Published Jun 10, 2026
Tracked Since Jun 10, 2026