Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-3vtx-uz1q-vqc6
Vulnerability ID VCID-3vtx-uz1q-vqc6
Aliases CVE-2023-39151
GHSA-69vw-3pcm-84rw
Summary Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 8.0 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-39151.json
epss 0.0106 https://api.first.org/data/v1/epss?cve=CVE-2023-39151
epss 0.0106 https://api.first.org/data/v1/epss?cve=CVE-2023-39151
epss 0.0106 https://api.first.org/data/v1/epss?cve=CVE-2023-39151
epss 0.0106 https://api.first.org/data/v1/epss?cve=CVE-2023-39151
epss 0.0106 https://api.first.org/data/v1/epss?cve=CVE-2023-39151
epss 0.0106 https://api.first.org/data/v1/epss?cve=CVE-2023-39151
epss 0.0106 https://api.first.org/data/v1/epss?cve=CVE-2023-39151
epss 0.0106 https://api.first.org/data/v1/epss?cve=CVE-2023-39151
epss 0.0106 https://api.first.org/data/v1/epss?cve=CVE-2023-39151
epss 0.0106 https://api.first.org/data/v1/epss?cve=CVE-2023-39151
epss 0.01207 https://api.first.org/data/v1/epss?cve=CVE-2023-39151
epss 0.01207 https://api.first.org/data/v1/epss?cve=CVE-2023-39151
epss 0.01207 https://api.first.org/data/v1/epss?cve=CVE-2023-39151
epss 0.01207 https://api.first.org/data/v1/epss?cve=CVE-2023-39151
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-69vw-3pcm-84rw
cvssv3.1 8.0 https://github.com/CVEProject/cvelist/blob/975222d6e43b5b1296dbc8a67d03704a1d2554e8/2023/39xxx/CVE-2023-39151.json
generic_textual HIGH https://github.com/CVEProject/cvelist/blob/975222d6e43b5b1296dbc8a67d03704a1d2554e8/2023/39xxx/CVE-2023-39151.json
cvssv3.1 8.0 https://github.com/jenkinsci/jenkins
generic_textual HIGH https://github.com/jenkinsci/jenkins
cvssv3.1 8.0 https://github.com/jenkinsci/jenkins/commit/1b9f1ccdbb7d00705b036d1332908fe52c2cd7ae
generic_textual HIGH https://github.com/jenkinsci/jenkins/commit/1b9f1ccdbb7d00705b036d1332908fe52c2cd7ae
cvssv3.1 8.0 https://nvd.nist.gov/vuln/detail/CVE-2023-39151
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2023-39151
cvssv3.1 8.0 https://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3188
generic_textual HIGH https://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3188
ssvc Track https://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3188
cvssv3.1 8.0 http://www.openwall.com/lists/oss-security/2023/07/26/2
generic_textual HIGH http://www.openwall.com/lists/oss-security/2023/07/26/2
ssvc Track http://www.openwall.com/lists/oss-security/2023/07/26/2
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-39151.json
https://api.first.org/data/v1/epss?cve=CVE-2023-39151
https://github.com/CVEProject/cvelist/blob/975222d6e43b5b1296dbc8a67d03704a1d2554e8/2023/39xxx/CVE-2023-39151.json
https://github.com/jenkinsci/jenkins
https://github.com/jenkinsci/jenkins/commit/1b9f1ccdbb7d00705b036d1332908fe52c2cd7ae
https://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3188
http://www.openwall.com/lists/oss-security/2023/07/26/2
2226895 https://bugzilla.redhat.com/show_bug.cgi?id=2226895
CVE-2023-39151 https://nvd.nist.gov/vuln/detail/CVE-2023-39151
GHSA-69vw-3pcm-84rw https://github.com/advisories/GHSA-69vw-3pcm-84rw
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-39151.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/CVEProject/cvelist/blob/975222d6e43b5b1296dbc8a67d03704a1d2554e8/2023/39xxx/CVE-2023-39151.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/jenkinsci/jenkins
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/jenkinsci/jenkins/commit/1b9f1ccdbb7d00705b036d1332908fe52c2cd7ae
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-39151
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3188
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-21T21:06:38Z/ Found at https://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3188
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2023/07/26/2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-21T21:06:38Z/ Found at http://www.openwall.com/lists/oss-security/2023/07/26/2
Exploit Prediction Scoring System (EPSS)
Percentile 0.7759
EPSS Score 0.0106
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:51:37.640926+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.main/jenkins-core/CVE-2023-39151.yml 38.0.0