CVE-2026-48924

4.3 MEDIUM

Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing at...

Published: 2026-05-27 · Last updated: 2026-05-28

Severity and scoring

Vendor	Product
jenkins	bitbucket_oauth

Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks.

Source: NVD

Same vendor

CVE-2026-53442 — Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job c... (5.3 MEDIUM)
CVE-2026-53441 — Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description ... (5.4 MEDIUM)
CVE-2026-53440 — Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" secur... (4.3 MEDIUM)
CVE-2026-53439 — Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with Overall/Read permission to determine... (4.3 MEDIUM)
CVE-2026-53438 — A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lackin... (4.3 MEDIUM)

Same CWE

CVE-2026-53523 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (6.8 MEDIUM)
CVE-2026-50089 — The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untruste... (6.1 MEDIUM)
CVE-2026-46616 — Umbraco is an ASP.NET CMS (5.4 MEDIUM)
CVE-2026-48856 — Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data (6.5 MEDIUM)
CVE-2026-45566 — Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers (6.1 MEDIUM)