Attackers exploit Jenkins flaw to execute code through config.xml

A critical vulnerability affecting Jenkins, tracked as CVE-2026-53435, allows attackers to execute arbitrary code on Jenkins controllers by exploiting how config.xml files are handled. This flaw has a CVSS score of 8.8 and has been actively exploited within hours of its disclosure, according to threat intelligence firm Defused. To mitigate risks, it is urgent for users to patch their systems, especially those running Jenkins versions 2.567 and earlier, and LTS versions 2.555.2 and earlier. If immediate updates aren’t feasible, restricting network access to affected controllers is recommended.