CVE-2026-57284
MEDIUMJenkins Pipeline: Groovy Plugin < 4331.v9d06ed4658ff - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Title source: ruleDescription
Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
Jenkins Security Advisory 2026-06-24
https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3677
Scores
CVSS v3
4.3
EPSS
0.0027
EPSS Percentile
19.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-470
Status
published
Products (2)
jenkins/pipeline\
< 4331.v9d06ed4658ff
Jenkins Project/Jenkins Pipeline: Groovy Plugin
< 4331.v9d06ed4658ff
Published
Jun 24, 2026
Tracked Since
Jun 24, 2026