CVE-2025-5806

Published Jun 6, 2025

Last updated 6 months ago

CVSS high 8.0
Jenkins Gatling Plugin

Overview

Description
Jenkins Gatling Plugin 136.vb_9009b_3d33a_e serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content.
Source
jenkinsci-cert@googlegroups.com
NVD status
Analyzed
Products
gatling

Risk scores

CVSS 3.1

Type
Secondary
Base score
8
Impact score
5.9
Exploitability score
2.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-79

Social media

Hype score
Not currently trending

  1. #VulnerabilityReport #CICD Unpatched XSS Vulnerability in Jenkins Gatling Plugin Puts Users at Risk (CVE-2025-5806) https://t.co/asgVvRW9QM

    @Komodosec

    14 Jul 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Jenkinsコミュニティは、Gatling Pluginの重大な脆弱性(CVE-2025-5806)に関する高リスクのセキュリティ勧告を発表した。Content-Security-Policy(CSP)ヘッダーを適切に処理しないため、XSS攻撃を許す可能性がある。

    @yousukezan

    7 Jun 2025

    1530 Impressions

    0 Retweets

    7 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  3. 🗣️ Unpatched XSS Vulnerability in Jenkins Gatling Plugin Puts Users at Risk (CVE-2025-5806) https://t.co/5Jd3alBu8Z

    @fridaysecurity

    7 Jun 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-5806: Jenkins Gatling Plugin XSS https://t.co/74syUq64WT Gatling Plugin serves reports in a manner that bypasses Content-Security-Policy introduced in Jenkins. This results in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content.

    @oss_security

    6 Jun 2025

    246 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  5. CVE-2025-5806 Jenkins Gatling Plugin 136.vb_9009b_3d33a_e serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.62… https://t.co/4y1NNmUw1F

    @CVEnew

    6 Jun 2025

    211 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. In Gatling Enterprise versions below 1.25.0, a low-privileged user that does not hold the role "admin" could perform a REST API call on read-only endpoints, allowing him to collect some information, due to missing authorization checks.CVE-2025-51308
  2. In Gatling Enterprise versions below 1.25.0, a user logging-out can still use his session token to continue using the application without expiration, due to incorrect session management.CVE-2025-51306

References

Sources include official advisories and independent security research.