Jenkins Email Extension Plugin 2.93 and earlier does not escape, sanitize, or sandbox rendered email template output or log output generated during template rendering, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or change custom email templates.

Affected Packages

Maven org.jenkins-ci.plugins:email-ext

Affected versions: 0 (fixed in 2.94)

Related CVEs

CVE-2023-25764

Key Information

GHSA ID

GHSA-p2fr-mq9m-6w6p

Published

February 15, 2023 3:30 PM

Last Modified

February 23, 2023 9:31 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:email-ext

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 3, 2025 6:16 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.