CVE-2026-57281
HIGHJenkins Script Security Plugin < 1402.v94c9ce464861 - Protection Mechanism Failure
Title source: ruleDescription
Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.
References (4)
Core 4
Core References
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2026-57281
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2492200
Vendor Advisory vendor-advisory
Jenkins Security Advisory 2026-06-24
https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3793
Scores
CVSS v3
7.5
EPSS
0.0059
EPSS Percentile
44.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-693
CWE-917
CWE-93
Status
published
Products (2)
jenkins/script_security
< 1402.v94c9ce464861
Jenkins Project/Jenkins Script Security Plugin
< 1402.v94c9ce464861
Published
Jun 24, 2026
Tracked Since
Jun 24, 2026