CVE-2026-53435

EPSS 0.4%

hype LIKELY HACK · 78 hack

In-the-wild exploitation confirmed by credible sources; no KEV yet but vendor patching underway.

What: Jenkins 2.567 and earlier suffer unsafe deserialization of arbitrary types from attacker-controlled config.xml, enabling user impersonation, Script Console access, and arbitrary file read (CVSS 8.8).

Why it matters: DefusedCyber confirmed in-the-wild exploitation attempts hitting decoys since June 15. Vendor patches available per Jenkins advisory. Active scanning and POC development reported across security community. Not yet KEV-listed but exploitation activity is credible and current.

Where it's seen: Security researchers posting live exploitation tracking, technical breakdowns of gadget chains, vendor advisory links, and exploitation scanning tools across Twitter/Bluesky. Engagement driven by active threat confirmation rather than disclosure timing.

RISK: CRITICAL — Active exploitation confirmed, RCE/impersonation capability, affects widely-deployed CI/CD infrastructure.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 6/16/2026, 8:29:31 AM

Description

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.

References

Other · 1

https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3707