CVE-2026-57281 | Jenkins Script Security Plugin 1402.v94c9ce464861 and earlie… | CVSS 7.5 HIGH

Description

Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.

Metadata

CVE ID: CVE-2026-57281
State: PUBLISHED
Assigner: jenkins
Reserved: 2026-06-24 08:41 UTC
Published: 2026-06-24 13:20 UTC
Last updated: 2026-06-24 13:56 UTC
Primary CWE: CWE-693
CWE-693 Protection Mechanism Failure
Vendor / Product: Jenkins Project / Jenkins Script Security Plugin
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Jenkins Project	Jenkins Script Security Plugin	—	0 ≤ 1402.v94c9ce464861

Weakness (CWE)

CWE	Source	Description
CWE-693	adp	CWE-693 Protection Mechanism Failure
CWE-93	adp	CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.5	HIGH	3.1	adp	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References (1)

Jenkins Security Advisory 2026-06-24 https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3793