Vulnerability Detail

Enriched intelligence for a single CVE

8.8

CVSS
High

CVE-2026-53435

PUBLISHED

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins...

Not yet in CISA KEV

Exploited in the wild PoC available Remote Low complexity No user interaction

Vendor: Jenkins Project
Product: Jenkins
Published: Jun 10, 2026
EPSS: 1.4% · 81% pctl

Automate This Intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.

Weaknesses (CWE)

CWE-502

Deserialization of Untrusted Data

CVSS Scores

CVSS v3.1 8.8 High

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitation Status

Exploited in the wild

Recorded 2026-06-15 09:02:00 UTC · Defused Cyber

Proof of concept available

Recorded 2026-06-12 14:50:22 UTC · GitHub

References

https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3707

Known Exploited Vulnerability Sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
Defused Cyber First	2026-06-15 09:02 UTC
Daily CyberSecurity	2026-06-15 10:20 UTC

Recent Mentions

Jenkins RCE Vulnerability CVE-2026-53435 Now Under Active Exploitation

Daily CyberSecurity · Jun 15, 2026

Attackers are already abusing a critical Jenkins RCE vulnerability in the wild. Tracked as CVE-2026-53435, the flaw lets The post Jenkins RCE Vulnerability CVE-2026-53435 Now Under Active Exploitation appeared first on Daily CyberSecurity. Related posts: High-Severity RCE and XSS Flaws Found in Popular CI/CD Jenkins Plugins CVE-2025-30023: Critical RCE Vulnerability Discovered in Axis Video Management Software CISA KEV Alert: FortiWeb RCE Flaw (CVE-2025-58034) Under Active Exploitation for Command Injection

Potential Proof of Concepts

These PoCs are unverified and could contain malware. Use at your own risk.

AmesianX/CVE-2026-53435

github · Created 2026-06-12 14:50:22 UTC · 0 stars

An offensive security researcher + an AI vs. a fresh n-day: building the first public PoC for CVE-2026-53435 in one Friday night. Raw 8h20m log inside.

Timeline

KEV confirmed by Daily CyberSecurity

2026-06-15 10:20 UTC
Added to KEVIntel

2026-06-15 09:02 UTC
Proof of Concept Exploit Available

2026-06-12 14:50 UTC
CVE Published to Public

2026-06-10 13:05 UTC
CVE ID Reserved

2026-06-09 14:26 UTC