CVE-2026-57284

MEDIUM

Jenkins Pipeline: Groovy Plugin < 4331.v9d06ed4658ff - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Title source: rule
STIX 2.1

Description

Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps.

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
Jenkins Security Advisory 2026-06-24
https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3677

Scores

CVSS v3 4.3
EPSS 0.0027
EPSS Percentile 19.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-470
Status published
Products (2)
jenkins/pipeline\ < 4331.v9d06ed4658ff
Jenkins Project/Jenkins Pipeline: Groovy Plugin < 4331.v9d06ed4658ff
Published Jun 24, 2026
Tracked Since Jun 24, 2026