CVE-2018-1000426
Description
Jenkins Git Changelog Plugin 2.6 and earlier has a stored XSS vulnerability allowing attackers to inject arbitrary HTML via malicious Git history.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Git Changelog Plugin 2.6 and earlier has a stored XSS vulnerability allowing attackers to inject arbitrary HTML via malicious Git history.
Vulnerability
The Jenkins Git Changelog Plugin versions 2.6 and earlier contain a cross-site scripting (XSS) vulnerability in multiple view components: GitChangelogSummaryDecorator/summary.jelly, GitChangelogLeftsideBuildDecorator/badge.jelly, GitLogJiraFilterPostPublisher/config.jelly, and GitLogBasicChangelogPostPublisher/config.jelly. The plugin does not properly escape values derived from Git history before rendering them in Jenkins web interfaces. An attacker who can control the Git history parsed by the plugin (e.g., by contributing to a repository or manipulating commit messages, author names, or tag names) can inject arbitrary HTML. This vulnerability is identified in the Jenkins Security Advisory 2018-09-25 as SECURITY-1122 [1] and confirmed in the NVD entry [2].
Exploitation
To exploit this vulnerability, an attacker must have the ability to inject malicious content into the Git history that the Jenkins Git Changelog Plugin parses. This can be achieved by contributing commits with specially crafted commit messages, author names, or tag names to a repository that Jenkins monitors. No authentication beyond the ability to push to the repository is required from the attacker; the Jenkins job must be configured to use the Git Changelog Plugin. The XSS payload is then automatically rendered when Jenkins displays the changelog summary, build badge, or plugin configuration pages that reference the malicious Git history entries [1][2].
Impact
A successful XSS attack allows the attacker to execute arbitrary HTML and JavaScript in the context of a Jenkins user's browser session. This can lead to session hijacking, credential theft, or performing administrative actions on behalf of an authenticated Jenkins user. The scope of compromise is limited to the Jenkins web interface; the attacker does not gain direct access to the Jenkins server or underlying host beyond what the browser session permits [1].
Mitigation
Jenkins released version 2.7 of the Git Changelog Plugin on 2018-09-25 to address this vulnerability [1]. Users should upgrade to version 2.7 or later. For earlier versions that are no longer supported, no workaround is described in the available references. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
de.wellnerbou.jenkins:git-changelogMaven | < 2.7 | 2.7 |
Affected products
2- Range: 1.0, 1.22, git-changelog-1.1, …
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-jcmg-9rw5-9rm2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000426ghsaADVISORY
- www.securityfocus.com/bid/106532ghsavdb-entryx_refsource_BIDWEB
- jenkins.io/security/advisory/2018-09-25/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.