CVE-2025-53658 – org.jenkins-ci.plugins:applitools-eyes

Package

Manager: maven
Name: org.jenkins-ci.plugins:applitools-eyes
Vulnerable Version: >=0 <1.16.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00035 pctl0.08549

Details

Jenkins Applitools Eyes Plugin vulnerable to XSS through its Build page Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. Applitools Eyes Plugin 1.16.6 rejects Applitools URLs that contain HTML metacharacters.

Metadata

Created: 2025-07-09T18:30:46Z
Modified: 2025-07-09T21:17:35Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-j4wf-9gx8-63f8/GHSA-j4wf-9gx8-63f8.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-j4wf-9gx8-63f8
Finding: F425
Auto approve: 1