CVE-2026-53436
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
Jenkins versions 2.567 and earlier, LTS 2.555.2 and earlier improperly determine that a redirect URL after login legitimately points to Jenkins when it contains relative path segments (`./` or `../`), allowing attackers to perform phishing attacks.
Risk Assessment
Organizations may become targets of phishing attacks, potentially leading to the theft of user login credentials and other sensitive information.
Recommendation
It is recommended to update Jenkins to the latest version to eliminate this vulnerability and implement additional security measures to protect against phishing attacks.
Original NVD description (English source)
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (`./` or `../`), allowing attackers to perform phishing attacks.

