CVE-2025-53658
Description
Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Jenkins Applitools Eyes Plugin due to missing URL escaping, exploitable by attackers with Item/Configure permission.
Vulnerability
The Jenkins Applitools Eyes Plugin versions 1.16.5 and earlier does not properly escape the Applitools URL when displayed on the build page. This allows an attacker to inject arbitrary HTML and JavaScript into the page, leading to a stored cross-site scripting (XSS) vulnerability [1][3].
Exploitation
An attacker with Item/Configure permission can set a malicious Applitools URL containing JavaScript payloads. When any user views the build page, the injected script executes in the context of the Jenkins user's session, bypassing same-origin policies [1].
Impact
Successful exploitation enables the attacker to perform arbitrary actions on behalf of the victim within Jenkins, such as modifying job configurations, accessing credentials, or exfiltrating sensitive data [1][3].
Mitigation
The vulnerability is fixed in Applitools Eyes Plugin version 1.16.6. Users should upgrade immediately. No workaround is available [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:applitools-eyesMaven | < 1.16.6 | 1.16.6 |
Affected products
2- Range: <=1.16.5
- Jenkins Project/Jenkins Applitools Eyes Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-j4wf-9gx8-63f8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53658ghsaADVISORY
- www.jenkins.io/security/advisory/2025-07-09/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/07/09/4ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-07-09Jenkins Security Advisories · Jul 9, 2025