CVE-2026-57284 | Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earli… | CVSS 4.3 MEDIUM

Description

Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps.

Metadata

CVE ID: CVE-2026-57284
State: PUBLISHED
Assigner: jenkins
Reserved: 2026-06-24 08:41 UTC
Published: 2026-06-24 13:20 UTC
Last updated: 2026-06-24 13:59 UTC
Primary CWE: CWE-470
CWE-470 Use of Externally-Controlled Input to Select Classes…
Vendor / Product: Jenkins Project / Jenkins Pipeline: Groovy Plugin
Sources: cve.org · NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Jenkins Project	Jenkins Pipeline: Groovy Plugin	—	0 ≤ 4331.v9d06ed4658ff

Weakness (CWE)

CWE	Source	Description
CWE-470	adp	CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
4.3	MEDIUM	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References (1)

Jenkins Security Advisory 2026-06-24 https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3677