{"vulnerability": "cve-2026-4252", "sightings": [{"uuid": "f8bdd4f7-5ed0-4e4e-9871-b31a3606c378", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-4252", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116242987588275568", "content": "", "creation_timestamp": "2026-03-17T06:00:29.520368Z"}, {"uuid": "feb5f06d-682c-4753-b0ab-4522e2f42631", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-4252", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3mimmhbamij2a", "content": "", "creation_timestamp": "2026-04-03T21:00:14.475504Z"}, {"uuid": "41467b0a-ad20-4145-a494-ff05634f1ef5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42525", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mkndkgtahk2n", "content": "CVE-2026-42525 - Jenkins Microsoft Entra ID Plugin Open Redirection Vulnerability\nCVE ID : CVE-2026-42525\n \n Published : April 29, 2026, 1:31 p.m. | 46\u00a0minutes ago\n \n Description : Jenkins Microsoft Entra ID (previously Azure AD) Plugin 666.v6060de32f87d and earlier does not r...", "creation_timestamp": "2026-04-29T14:44:00.219516Z"}, {"uuid": "8fd8d222-37c3-40a5-8f37-ac69913585bd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-4252", "type": "published-proof-of-concept", "source": "https://t.me/bdufstecru/3024", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 check_is_ipv6() \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u0430 IPv6 \u043c\u0438\u043a\u0440\u043e\u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u043c\u0430\u0440\u0448\u0440\u0443\u0442\u0438\u0437\u0430\u0442\u043e\u0440\u043e\u0432 Tenda AC8 \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u043f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u044b \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u043f\u0443\u0442\u0435\u043c \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e HTTP-\u0437\u0430\u043f\u0440\u043e\u0441\u0430\n\nBDU:2026-03418\nCVE-2026-4252\n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432 \u043c\u0435\u0436\u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u044d\u043a\u0440\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0443\u0440\u043e\u0432\u043d\u044f \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 (WAF) \u0434\u043b\u044f \u0444\u0438\u043b\u044c\u0442\u0440\u0430\u0446\u0438\u0438 \u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u0442\u0440\u0430\u0444\u0438\u043a\u0430;\n- \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u0438\u0437 \u0432\u043d\u0435\u0448\u043d\u0438\u0445 \u0441\u0435\u0442\u0435\u0439 (\u0418\u043d\u0442\u0435\u0440\u043d\u0435\u0442);\n- \u0441\u0435\u0433\u043c\u0435\u043d\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0435\u0442\u0438 \u0434\u043b\u044f \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u043c\u0443 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0443;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f \u0438 \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0449\u0435\u043d\u0438\u044f \u0432\u0442\u043e\u0440\u0436\u0435\u043d\u0438\u0439 \u0434\u043b\u044f \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f (\u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f, \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u0438) \u0438 \u0440\u0435\u0430\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u043d\u0430 \u043f\u043e\u043f\u044b\u0442\u043a\u0438 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u044b\u0445 \u0447\u0430\u0441\u0442\u043d\u044b\u0445 \u0441\u0435\u0442\u0435\u0439 \u0434\u043b\u044f \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u0430\u0446\u0438\u0438 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0430 (VPN).\n\n\u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438:\nhttps://github.com/digitalandrew/tenda_ac8_v5/blob/main/poc_ipv6_auth_bypass.py", "creation_timestamp": "2026-03-20T12:34:05.000000Z"}, {"uuid": "bce7dfa4-3525-4ce4-9c61-cc528c7619df", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42521", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mknd2fatm72q", "content": "CVE-2026-42521 - Jenkins Matrix Authorization Strategy Plugin Deserialization RCE\nCVE ID : CVE-2026-42521\n \n Published : April 29, 2026, 1:31 p.m. | 46\u00a0minutes ago\n \n Description : Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes p...", "creation_timestamp": "2026-04-29T14:35:01.793945Z"}, {"uuid": "82560d26-50d3-4bba-b253-e25fcf90beb7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42520", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mkncwzgp6h2e", "content": "CVE-2026-42520 - Jenkins Credentials Binding Plugin Unsanitized File Name Vulnerability\nCVE ID : CVE-2026-42520\n \n Published : April 29, 2026, 1:31 p.m. | 46\u00a0minutes ago\n \n Description : Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file n...", "creation_timestamp": "2026-04-29T14:33:08.815226Z"}, {"uuid": "e8ebc99f-34b6-4011-a11e-27f1ec52d3e2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42523", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mknclb2n7s2k", "content": "CVE-2026-42523 - Jenkins GitHub Plugin Stored XSS Vulnerability\nCVE ID : CVE-2026-42523\n \n Published : April 29, 2026, 1:31 p.m. | 46\u00a0minutes ago\n \n Description : Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementi...", "creation_timestamp": "2026-04-29T14:26:34.291867Z"}, {"uuid": "fe8ac7a5-ab47-4a7b-90d6-25f41211437a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42522", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mkncqtsprg2i", "content": "CVE-2026-42522 - Jenkins GitHub Branch Source Plugin Permission Bypass Vulnerability\nCVE ID : CVE-2026-42522\n \n Published : April 29, 2026, 1:31 p.m. | 46\u00a0minutes ago\n \n Description : A missing permission check in Jenkins GitHub Branch Source Plugin 1967.vdea_d580c1a_b_a_ and ...", "creation_timestamp": "2026-04-29T14:29:41.497611Z"}, {"uuid": "a350695d-ad3f-4b3d-acec-cc7a0cc5b0a0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42524", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mkncttifnr2c", "content": "CVE-2026-42524 - Jenkins HTML Publisher Plugin Stored XSS Vulnerability\nCVE ID : CVE-2026-42524\n \n Published : April 29, 2026, 1:31 p.m. | 46\u00a0minutes ago\n \n Description : Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file,...", "creation_timestamp": "2026-04-29T14:31:21.708551Z"}, {"uuid": "590a7519-2813-4f5f-a125-7ecc6d13edb5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42523", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mkorqf3ol323", "content": "Jenkins GitHub Plugin \u22641.46.0 hit by CRITICAL XSS (CVE-2026-42523). Authenticated users can inject malicious JS. Restrict permissions & monitor activity. Patch pending \u2014 see vendor advisory. https://radar.offseq.com/threat/cve-2026-42523-vulnerability-in-jenkins-project-je-d7de8e87 #OffSeq #Jenki...", "creation_timestamp": "2026-04-30T04:30:32.975574Z"}, {"uuid": "4ba24056-c2fc-4f73-85c2-2df816279cd1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42520", "type": "seen", "source": "https://bsky.app/profile/postac001.bsky.social/post/3mknjes22qz2a", "content": "Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ \u4ee5\u524d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3067\u306f\u3001\u30d5\u30a1\u30a4\u30eb\u540d\u304c\u9069\u5207\u306b\u30b5\u30cb\u30bf\u30a4\u30ba\u3055\u308c\u305a\u3001\u4efb\u610f\u5834\u6240\u306b\u30d5\u30a1\u30a4\u30eb\u3092\u66f8\u304d\u8fbc\u3081\u308b\u3002\nCVE-2026-42520 CVSS 7.5 | HIGH", "creation_timestamp": "2026-04-29T16:28:13.445631Z"}, {"uuid": "b4e6e87b-bdb2-42bb-a2a5-63d3612b0616", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-42523", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116491775490142620", "content": "\ud83d\udea8 CRITICAL: Jenkins GitHub Plugin \u22641.46.0 has a stored XSS (CVE-2026-42523). Attackers with Overall/Read permission can run JS in users' browsers. Limit permissions & check vendor for patches. https://radar.offseq.com/threat/cve-2026-42523-vulnerability-in-jenkins-project-je-d7de8e87 #OffSeq #Jenkins #XSS #Vuln", "creation_timestamp": "2026-04-30T04:30:43.966268Z"}, {"uuid": "68d503cc-6b23-4664-9d13-1afefb20e934", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42520", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mkqmsdd5lr2n", "content": "\ud83d\udfe0 CVE-2026-42520 - High (7.5)\n\nJenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names fo...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-42520/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-04-30T22:07:28.466945Z"}, {"uuid": "904b37fb-a01f-4c43-b52b-fc1f410d29e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42523", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mkqmskn7yy2z", "content": "\ud83d\udd34 CVE-2026-42523 - Critical (9)\n\nJenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of Java...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-42523/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-04-30T22:07:35.976922Z"}, {"uuid": "a70687f5-9ce6-4f01-89e9-df73aa543211", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42524", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mkqmssaozi2z", "content": "\ud83d\udfe0 CVE-2026-42524 - High (8)\n\nJenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrap...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-42524/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-04-30T22:07:43.891399Z"}, {"uuid": "dcf3229f-482c-41aa-9db1-226dfd680da6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42524", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3ml574cgbfw2r", "content": "\ud83d\udccc CVE-2026-42524 - Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting ... https://www.cyberhub.blog/cves/CVE-2026-42524", "creation_timestamp": "2026-05-05T22:07:06.646586Z"}, {"uuid": "65c0991e-4188-4b26-a7a4-ee51063b8ee6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42526", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmahaomavt2t", "content": "CVE-2026-42526 - Apache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store backends\nCVE ID : CVE-2026-42526\n \n Published : May 19, 2026, 8:16 p.m. | 1\u00a0hour, 58\u00a0minutes ago\n \n Description : In the AWS Secre...", "creation_timestamp": "2026-05-19T22:36:07.185048Z"}, {"uuid": "62b57abc-30e2-4251-8638-5530c472f213", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42523", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3ml5zwmlcjd25", "content": "\ud83d\udccc CVE-2026-42523 - Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature \"GitHub... https://www.cyberhub.blog/cves/CVE-2026-42523", "creation_timestamp": "2026-05-06T06:07:07.363795Z"}, {"uuid": "4393f11d-ce2c-472a-89e8-5ded2fc0a235", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42523", "type": "seen", "source": "https://bsky.app/profile/keiwork35.bsky.social/post/3mlqeqeikhi22", "content": "\u3010\u8106\u5f31\u6027\u60c5\u5831\u3011 CVE-2026-42523 Jenkins GitHub\u00a0Plugin\u306e\u8106\u5f31\u6027\u306b\u3064\u3044\u3066\n\nJenkins GitHub Plugin 1.46.0\u4ee5\u524d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306f\u3001\"GitHub hook trigger for GITScm polling\"\u6a5f\u80fd\u306e\u691c\u8a3c\u3092\u5b9f\u88c5\u3059\u308bJavaScript\u306e\u4e00\u90e8\u3068\u3057\u3066\u3001", "creation_timestamp": "2026-05-13T13:08:23.742991Z"}, {"uuid": "247696c8-6316-4fe4-92f8-596f765ffae9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42526", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mma4tie6mk25", "content": "CVE-2026-42526: Apache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store backends", "creation_timestamp": "2026-05-19T19:29:34.343945Z"}]}