{"api_version":"1","generated_at":"2026-06-10T23:56:09+00:00","cve":"CVE-2026-53440","urls":{"html":"https://cve.report/CVE-2026-53440","api":"https://cve.report/api/cve/CVE-2026-53440.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53440","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53440"},"summary":{"title":"CVE-2026-53440","description":"Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the \"from\" parameter in the \"Delegate to servlet container\" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled domain.","state":"PUBLISHED","assigner":"jenkins","published_at":"2026-06-10 14:16:36","updated_at":"2026-06-10 19:43:28"},"problem_types":["CWE-601","CWE-601 CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}}],"references":[{"url":"https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3721","name":"https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3721","refsource":"jenkinsci-cert@googlegroups.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53440","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53440","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Jenkins Project","product":"Jenkins","version":"unaffected 2.568 * maven","platforms":[]},{"source":"CNA","vendor":"Jenkins Project","product":"Jenkins","version":"unaffected 2.555.3 2.555.* maven","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-53440","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-10T14:39:08.475776Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-601","description":"CWE-601 URL Redirection to Untrusted Site ('Open Redirect')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-10T14:39:11.982Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"affected","product":"Jenkins","vendor":"Jenkins Project","versions":[{"lessThan":"*","status":"unaffected","version":"2.568","versionType":"maven"},{"lessThan":"2.555.*","status":"unaffected","version":"2.555.3","versionType":"maven"}]}],"descriptions":[{"lang":"en","value":"Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the \"from\" parameter in the \"Delegate to servlet container\" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled domain."}],"providerMetadata":{"dateUpdated":"2026-06-10T13:06:00.984Z","orgId":"39769cd5-e6e2-4dc8-927e-97b3aa056f5b","shortName":"jenkins"},"references":[{"name":"Jenkins Security Advisory 2026-06-10","tags":["vendor-advisory"],"url":"https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3721"}]}},"cveMetadata":{"assignerOrgId":"39769cd5-e6e2-4dc8-927e-97b3aa056f5b","assignerShortName":"jenkins","cveId":"CVE-2026-53440","datePublished":"2026-06-10T13:06:00.984Z","dateReserved":"2026-06-09T14:26:44.789Z","dateUpdated":"2026-06-10T14:39:11.982Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-10 14:16:36","lastModifiedDate":"2026-06-10 19:43:28","problem_types":["CWE-601","CWE-601 CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53440","Ordinal":"1","Title":"CVE-2026-53440","CVE":"CVE-2026-53440","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53440","Ordinal":"1","NoteData":"Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the \"from\" parameter in the \"Delegate to servlet container\" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled domain.","Type":"Description","Title":"CVE-2026-53440"}]}}}