cybersecurity

6226 readers

18 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 3 years ago

MODERATORS

shellsharks@infosec.pub

tweedge@infosec.pub

CVE-2026-53435: Jenkins Deserialization Chain, PoC & Patch (thecybersecguru.com)

submitted 1 day ago by UnLocoPoco@lemmy.world to c/cybersecurity@infosec.pub

0 comments fedilink hide all child comments

cross-posted from: https://lemmy.world/post/48197919

A newly disclosed Jenkins vulnerability, tracked as CVE-2026-53435, is now being actively exploited in the wild. The flaw allows an authenticated attacker with relatively low privileges to POST a malicious config.xml file, abuse Jenkins’ deserialization handling, and route requests through Stapler to access sensitive files on the Jenkins controller.

The issue affects Jenkins weekly versions up to 2.567 and LTS versions up to 2.555.2. Successful exploitation can lead to arbitrary file read, user impersonation, Script Console access, and possible exposure of SSH keys, credentials, and internal Jenkins secrets. Administrators are urged to upgrade immediately to Jenkins weekly 2.568 or LTS 2.555.3, review logs for suspicious createView requests, and audit users with View/Configure, Item/Configure, or Agent/Configure permissions.

no comments (yet)

sorted by: hot top controversial new old

there doesn't seem to be anything here