Jenkins Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-53742
• https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3510