VYPR
High severityGHSA Advisory· Published Dec 10, 2025· Updated Dec 10, 2025

CVE-2025-67641

CVE-2025-67641

Description

Jenkins Coverage Plugin 2.3054.ve1ff7b_a_a_123b_ and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI, allowing attackers with Item/Configure permission to use a javascript: scheme URL as identifier by configuring the job through the REST API, resulting in a stored cross-site scripting (XSS) vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.jenkins.plugins:coverageMaven
< 2.30562.3056

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

1