Jenkins Security Home

For Administrators For Reporters For Maintainers Jenkins Security Team

Jenkins Security Advisory 2025-06-06

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

XSS vulnerability in Gatling Plugin

SECURITY-3588 / CVE-2025-5806
Severity (CVSS): High
Affected plugin: gatling
Description:

Gatling Plugin 136.vb_9009b_3d33a_e serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625.3.

This results in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content.

As of publication of this advisory, there is no fix. Learn why we announce this. Affected users are advised to downgrade to version 1.3.0.

The section "Affected Versions" below claims that earlier versions are affected as well. They are not. This presentation is a technical limitation of advisory pages on jenkins.io.

Severity

Affected Versions

  • Gatling Plugin up to and including 136.vb_9009b_3d33a_e

Fix

As of publication of this advisory, no fixes are available for the following plugins:

  • Gatling Plugin

Learn why we announce these issues.