CVE-2026-48927

Vulnerability

Jenkins buildgraph-view Plugin version 1.8 and earlier fails to escape the build URL when rendering build information. This results in a stored cross-site scripting (XSS) vulnerability. The affected code path is reachable when the plugin displays builds in a view; no special configuration beyond installing the plugin is required for the vulnerability to exist. The issue is fixed in versions after 1.8 [1].

Exploitation

An attacker must have the ability to configure jobs or views in Jenkins. Such an attacker can inject malicious script content into a build URL, which is then stored and executed in the context of other users viewing the buildgraph view. No additional user interaction beyond viewing the affected view is required to trigger the XSS [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the web browser of any user who views the compromised buildgraph view. This can lead to session hijacking, credential theft, or further actions within the Jenkins application under the victim's permissions. The impact is limited to the UI layer; direct compromise of the Jenkins controller is not achieved [1].

Mitigation

Jenkins has released a fix in a version after 1.8 of the buildgraph-view Plugin. Users should update to the latest version as specified in the Jenkins Security Advisory 2026-05-27 [1]. No workarounds are documented; updating the plugin is the recommended course of action.