AI description
CVE-2025-5806 is a cross-site scripting (XSS) vulnerability found in the Jenkins Gatling Plugin version 136.vb_9009b_3d33a_e. The vulnerability arises because the plugin serves Gatling reports in a way that bypasses the Content-Security-Policy (CSP) protections that were introduced in Jenkins versions 1.641 and 1.625. This bypass allows users who can modify report content to inject and execute malicious scripts within the browsers of other users. Successful exploitation could lead to theft of sensitive session cookies, manipulation of page content, unauthorized actions performed on behalf of the victim, and potential compromise of user credentials and sensitive information.
- Description
- Jenkins Gatling Plugin 136.vb_9009b_3d33a_e serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content.
- Source
- jenkinsci-cert@googlegroups.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 8
- Impact score
- 5.9
- Exploitability score
- 2.1
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
- Severity
- HIGH
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-79
- Hype score
- Not currently trending
#VulnerabilityReport #CICD Unpatched XSS Vulnerability in Jenkins Gatling Plugin Puts Users at Risk (CVE-2025-5806) https://t.co/asgVvRW9QM
@Komodosec
14 Jul 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Jenkinsコミュニティは、Gatling Pluginの重大な脆弱性(CVE-2025-5806)に関する高リスクのセキュリティ勧告を発表した。Content-Security-Policy(CSP)ヘッダーを適切に処理しないため、XSS攻撃を許す可能性がある。
@yousukezan
7 Jun 2025
1530 Impressions
0 Retweets
7 Likes
3 Bookmarks
0 Replies
0 Quotes
🗣️ Unpatched XSS Vulnerability in Jenkins Gatling Plugin Puts Users at Risk (CVE-2025-5806) https://t.co/5Jd3alBu8Z
@fridaysecurity
7 Jun 2025
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-5806: Jenkins Gatling Plugin XSS https://t.co/74syUq64WT Gatling Plugin serves reports in a manner that bypasses Content-Security-Policy introduced in Jenkins. This results in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content.
@oss_security
6 Jun 2025
246 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
CVE-2025-5806 Jenkins Gatling Plugin 136.vb_9009b_3d33a_e serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.62… https://t.co/4y1NNmUw1F
@CVEnew
6 Jun 2025
211 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes