Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.
CVE-2016-0792
Score elevated to 9.0 because EPSS predicts 91% probability of exploitation within the next 30 days (top 0.4% of all CVEs). NVD baseline CVSS 8.8 retained for reference. Confidence: see factors.
- 7 internet-exposed hosts are running an affected version right now
- High exploitation likelihood — EPSS 83%
A fix is available — apply it.
7 internet-exposed hosts are running an affected version of CVE-2016-0792 right now.
EchelonGraph is the only CVE feed that fuses live vulnerability intelligence with its own live internet-exposure radar — so you see not just that a CVE is exploited, but how much of the internet is exposed to it right now.
- CVSS v3
- 8.8
- EG Score
- 9.0(high)
- EPSS
- 99.6%
- KEV
- Not listed
Published
April 7, 2016
Last Modified
May 6, 2026
Advisory Details (6)
Auto-updated May 22, 2026Serialization Must Die: Act 2: XStream (Jenkins CVE-2016-0792)
https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstreamJenkins Security Advisory 2016-02-24
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24Jenkins - XStream Groovy classpath Deserialization (Metasploit) - Multiple remote Exploit
https://www.exploit-db.com/exploits/43375/Jenkins < 1.650 - Java Deserialization - Java remote Exploit
https://www.exploit-db.com/exploits/42394/Vendor Advisories for CVE-2016-0792(2)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Patch Availability(2)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| redhat | rubygem-openshift-origin-routing-daemon-0:0.26.6.1-1.el6op | 2016-08-24 | redhat |
| redhat | jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7 | 2016-05-03 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
Maven(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.jenkins-ci.main:jenkins-core | 1.396 ... 1.642.1 (300 versions) | 1.642.2 | — |
Data Freshness Timeline
(refreshed 3× in last 7d / 20× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-12 11:07 UTCOSV refresh
- 2026-07-11 08:23 UTCEPSS rescore
- 2026-07-08 15:10 UTCEPSS rescore
- 2026-07-04 06:28 UTCEPSS rescore
- 2026-07-01 15:02 UTCEPSS rescore
- 2026-06-30 23:19 UTCEPSS rescore
- 2026-06-30 23:19 UTCEPSS rescore
- 2026-06-25 13:47 UTCEPSS rescore
- 2026-06-25 13:47 UTCEPSS rescore
- 2026-06-23 21:30 UTCEPSS rescore
- 2026-06-23 16:30 UTCOSV refresh
- 2026-06-21 14:54 UTCEPSS rescore
- 2026-06-21 14:54 UTCEPSS rescore
- 2026-06-21 01:57 UTCEPSS rescore
- 2026-06-21 01:57 UTCEPSS rescore
- 2026-06-16 17:50 UTCEPSS rescore
- 2026-06-16 17:50 UTCEPSS rescore
- 2026-06-15 17:45 UTCEPSS rescore
- 2026-06-14 23:14 UTCEPSS rescore
- 2026-06-13 22:57 UTCEPSS rescore
- 2026-06-10 22:15 UTCEPSS rescore
- 2026-06-10 13:18 UTCEPSS rescore
- 2026-06-08 14:14 UTCEPSS rescore
- 2026-06-06 21:59 UTCOSV refresh
- 2026-06-05 22:44 UTCEPSS rescore
Show 14 moreShow fewer
- 2026-06-05 06:08 UTCEPSS rescore
- 2026-06-05 06:08 UTCEPSS rescore
- 2026-06-02 20:10 UTCEPSS rescore
- 2026-05-31 00:14 UTCEPSS rescore
- 2026-05-26 07:16 UTCEPSS rescore
- 2026-05-26 07:16 UTCEPSS rescore
- 2026-05-22 20:59 UTCEG score recompute
- 2026-05-22 20:59 UTCVendor advisory
- 2026-05-22 17:43 UTCOSV refresh
- 2026-05-21 22:40 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-18 21:30 UTCEPSS rescore
- 2026-05-18 21:30 UTCEPSS rescore
Publicly available exploits
(4 references)Working exploit code is in the public domain (1 Metasploit module) (1 GitHub PoC) (2 Exploit-DB entries). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Exploit-DBEDB-43375✓ verifiedFirst seen Dec 19, 2017
Jenkins - XStream Groovy classpath Deserialization (Metasploit)
Open source ↗ - Exploit-DBEDB-42394✓ verifiedFirst seen Jul 30, 2017
Jenkins < 1.650 - Java Deserialization
Open source ↗ - GitHub PoCjpiechowka/jenkins-cve-2016-0792First seen Jul 30, 2017
Exploit for Jenkins serialization vulnerability - CVE-2016-0792
Open source ↗ - Metasploitexploit/multi/http/jenkins_xstream_deserialize✓ verifiedFirst seen Feb 24, 2016
Jenkins XStream Groovy classpath Deserialization Vulnerability
Open source ↗
Frequently asked(5)
What is CVE-2016-0792?
When was CVE-2016-0792 disclosed?
Is CVE-2016-0792 actively exploited?
What is the CVSS score of CVE-2016-0792?
How do I remediate CVE-2016-0792?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2016-0792
Is Your Infrastructure Affected by CVE-2016-0792?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.