CVE-2026-57303 | Jenkins Assembla Plugin 1.4 and earlier does not configure i… | CVSS 7.1 HIGH

Description

Jenkins Assembla Plugin 1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers able to control the responses of the configured Assembla server to extract secrets from the Jenkins controller or perform server-side request forgery.

Metadata

CVE ID: CVE-2026-57303
State: PUBLISHED
Assigner: jenkins
Reserved: 2026-06-24 08:41 UTC
Published: 2026-06-24 13:20 UTC
Last updated: 2026-06-24 14:19 UTC
Primary CWE: CWE-918
CWE-918 Server-Side Request Forgery (SSRF)
Vendor / Product: Jenkins Project / Jenkins Assembla Plugin
Sources: cve.org · NVD

Severity & Metrics

7.1 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Jenkins Project	Jenkins Assembla Plugin	—	0 ≤ 1.4

Weakness (CWE)

CWE	Source	Description
CWE-918	adp	CWE-918 Server-Side Request Forgery (SSRF)

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.1	HIGH	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

References (1)

Jenkins Security Advisory 2026-06-24 https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3692%20(1)