Base Score

MEDIUM5.3

CVE-2025-59476

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified content in log messages, allowing attackers able to control log message contents to insert line break characters, followed by forged log messages that may mislead administrators reviewing log output.

VectorNETWORK

Published Byjenkinsci-cert@googlegroups.com

Published DateSep 17, 2025, 14:15

Affected Versions(2)

org.jenkins-ci.main:jenkins-core(Maven)

Introduced0

Fixed2.516.3

LimitN/A

org.jenkins-ci.main:jenkins-core(Maven)

Introduced2.517

Fixed2.528

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.jenkins-ci.main:jenkins-core(Maven)	0	2.516.3	N/A
org.jenkins-ci.main:jenkins-core(Maven)	2.517	2.528	N/A

Weakness Type (CWE):CWE-117

CVSS Metrics

Base Score

5.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

LOW

Availability (A)

NONE

References

Base Score

MEDIUM5.3

Weakness Type (CWE):CWE-117

CVSS Metrics

Base Score

5.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

LOW

Availability (A)

NONE