{"id":"CVE-2026-42524","details":"Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.","aliases":["GHSA-f8h4-46xv-h7jj"],"modified":"2026-07-15T06:09:57.925110Z","published":"2026-04-29T14:16:19.457Z","references":[{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3706"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/htmlpublisher-plugin","events":[{"introduced":"0"},{"last_affected":"1323e9b8df2a8d132f72f7409350243714184e10"}],"database_specific":{"cpe":"cpe:2.3:a:jenkins:html_publisher:*:*:*:*:*:jenkins:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"427"}],"source":"CPE_RANGE"}}],"versions":["htmlpublisher-427","htmlpublisher-425","424.va_e57f1253461","htmlpublisher-1.37","htmlpublisher-1.36","htmlpublisher-1.35","htmlpublisher-1.34","htmlpublisher-1.33","htmlpublisher-1.32","htmlpublisher-1.31","htmlpublisher-1.30","htmlpublisher-1.29","htmlpublisher-1.28","htmlpublisher-1.27","htmlpublisher-1.26","htmlpublisher-1.25","htmlpublisher-1.24","htmlpublisher-1.23","htmlpublisher-1.22","htmlpublisher-1.22-beta-1","htmlpublisher-1.21","htmlpublisher-1.20","htmlpublisher-1.19","htmlpublisher-1.18","htmlpublisher-1.17","htmlpublisher-1.16","htmlpublisher-1.15","htmlpublisher-1.14","htmlpublisher-1.13","htmlpublisher-1.12","htmlpublisher-1.11","htmlpublisher-1.10","htmlpublisher-1.9","htmlpublisher-1.8","htmlpublisher-1.7","htmlpublisher-1.6","htmlpublisher-1.5","htmlpublisher-1.4","htmlpublisher-1.3","htmlpublisher-1.2","htmlpublisher-1.1","htmlpublisher-1.0","htmlpublisher-0.8","htmlpublisher-0.7","htmlpublisher-0.6","htmlpublisher-0.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42524.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}]}