CVE-2025-53651

MEDIUM4.3EPSS 1.3%

Jenkins HTML Publisher Plugin vulnerability displays controller file system information in its logs

Published: 7/9/2025Modified: 11/5/2025

Description

Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log. HTML Publisher Plugin 427 displays only the parent directory name of files archived during the Publish HTML reports post-build step in its log messages.

Affected packages (1)

Maven/org.jenkins-ci.plugins:htmlpublisherfrom 0, < 427

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-53651
PATCHhttps://github.com/jenkinsci/htmlpublisher-plugin
WEBhttps://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3547
WEBhttp://www.openwall.com/lists/oss-security/2025/07/09/4