Learn why CloudBees Unify is the Future of DevOps →

Jenkins Security Advisory 2025-06-06

This advisory announces vulnerabilities in Jenkins

XSS vulnerability in Gatling Plugin

SECURITY-3588 / CVE-2025-5806
Severity (CVSS): High
Affected plugin: gatling
Description:

Gatling Plugin 136.vb_9009b_3d33a_e serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625.3.

This results in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content.

As of publication of this advisory, there is no fix. Learn why we announce this. Affected users are advised to downgrade to version 1.3.0.

The section "Affected Versions" below claims that earlier versions are affected as well. They are not. This presentation is a technical limitation of advisory pages on jenkins.io.

Severity

  • SECURITY-3588 : High


Fix

As of publication of this advisory, no fixes are available for the following plugins:

  • Gatling Plugin

Learn why we announce these issues.


Credit

More Security Advisories

Continuously redefine what’s possible through software

© 2025 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders. Jenkins® is a registered trademark of LF Charities Inc.
Terms of Service