Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software.
We announce unresolved security issues in the following plugins: * Gatling Plugin Summaries of the vulnerabilities are below. More details, severity, and attribution can be found here: https://www.jenkins.io/security/advisory/2025-06-06/ We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories If you discover security vulnerabilities in Jenkins, please report them as described here: https://www.jenkins.io/security/#reporting-vulnerabilities --- SECURITY-3588 / CVE-2025-5806 Gatling Plugin 136.vb_9009b_3d33a_e serves Gatling reports in a manner that bypasses the `Content-Security-Policy` protection introduced in Jenkins 1.641 and 1.625.3. This results in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content. As of publication of this advisory, there is no fix.
