CVE-2025-67641 | THREATINT

Description

Jenkins Coverage Plugin 2.3054.ve1ff7b_a_a_123b_ and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI, allowing attackers with Item/Configure permission to use a `javascript:` scheme URL as identifier by configuring the job through the REST API, resulting in a stored cross-site scripting (XSS) vulnerability.

PUBLISHED Reserved 2025-12-09 | Published 2025-12-10 | Updated 2025-12-10 | Assigner jenkins

Product status

Default status

unaffected

Any version

affected

References

www.jenkins.io/security/advisory/2025-12-10/ (Jenkins Security Advisory 2025-12-10) vendor-advisory

cve.org (CVE-2025-67641)

nvd.nist.gov (CVE-2025-67641)

Download JSON