Security Advisories

Jenkins Security Advisory2025-06-06

This advisory announces vulnerabilities in 

,

and

Jenkins

XSS vulnerability in Gatling Plugin

SECURITY-3588 / CVE-2025-5806

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H]

Affected plugin: [pill:gatling|https://plugins.jenkins.io/gatling]

Description:

Gatling Plugin 136.vb_9009b_3d33a_e serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625.3.

This results in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content.

As of publication of this advisory, there is no fix. Learn why we announce this. Affected users are advised to downgrade to version 1.3.0.

[!NOTE]

The section "Affected Versions" below claims that earlier versions are affected as well. They are not. This presentation is a technical limitation of advisory pages on jenkins.io.

[/]

Severity

  • SECURITY-3588 : High

Fix

As of publication of this advisory, no fixes are available for the following plugins:

  • Gatling Plugin

Learn why we announce these issues.

Subscription confirmed

You'll now be notified automatically when new vulnerabilities
are disclosed