Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.jenkins-ci.plugins/mercurial@1260.vdfb_723cdcc81
purl pkg:maven/org.jenkins-ci.plugins/mercurial@1260.vdfb_723cdcc81
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-1pzb-gkrf-m3hq Webhook endpoint discloses job names to unauthorized users in Jenkins Mercurial Plugin Mercurial Plugin provides a webhook endpoint at `/mercurial/notifyCommit` that can be used to notify Jenkins of changes to an SCM repository. This endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. It can be accessed with GET requests and without authentication. In Mercurial Plugin 1251.va_b_121f184902 and earlier, the output of the webhook endpoint will provide information about which jobs were triggered or scheduled for polling, including jobs the user has no permission to access. This allows attackers with knowledge of Mercurial repository URLs to obtain information about the existence of jobs configured with this Mercurial repository. Mercurial Plugin 1260.vdfb_723cdcc81 does not provide the names of jobs for which polling is triggered unless the user has the appropriate Item/Read permission. CVE-2022-43410
GHSA-j7pg-863g-22p6

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T16:03:47.439299+00:00 GHSA Importer Fixing VCID-1pzb-gkrf-m3hq https://github.com/advisories/GHSA-j7pg-863g-22p6 38.0.0
2026-04-01T13:05:00.514280+00:00 GithubOSV Importer Fixing VCID-1pzb-gkrf-m3hq https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-j7pg-863g-22p6/GHSA-j7pg-863g-22p6.json 38.0.0