CVE-2025-53651 – org.jenkins-ci.plugins:htmlpublisher

Package

Manager: maven
Name: org.jenkins-ci.plugins:htmlpublisher
Vulnerable Version: >=0 <427

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00386 pctl0.58988

Details

Jenkins HTML Publisher Plugin vulnerability displays controller file system information in its logs Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log. HTML Publisher Plugin 427 displays only the parent directory name of files archived during the Publish HTML reports post-build step in its log messages.

Metadata

Created: 2025-07-09T18:30:45Z
Modified: 2025-07-09T20:44:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-367v-5ppj-2hrx/GHSA-367v-5ppj-2hrx.json
CWE IDs: ["CWE-36", "CWE-779"]
Alternative ID: GHSA-367v-5ppj-2hrx
Finding: F063
Auto approve: 1