CVE-2026-53440
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
Jenkins versions 2.567 and earlier, LTS 2.555.2 and earlier do not validate the safety of the 'from' parameter in the 'Delegate to servlet container' security realm, allowing attackers to perform phishing attacks by redirecting users to attacker-controlled domains.
Risk Assessment
The organization is vulnerable to phishing attacks that may lead to the theft of user login credentials and other sensitive information.
Recommendation
It is recommended to update Jenkins to the latest version to ensure proper validation of redirect parameters after login.
Original NVD description (English source)
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled domain.

