Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-57281
PUBLISHED
More InfoOfficial Page
Assigner-jenkins
Assigner Org ID-39769cd5-e6e2-4dc8-927e-97b3aa056f5b
View Known Exploited Vulnerability (KEV) details
Published At-24 Jun, 2026 | 13:20
Updated At-30 Jun, 2026 | 12:10
Rejected At-
▼CVE Numbering Authority (CNA)

Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.

Affected Products
Vendor
JenkinsJenkins Project
Product
Jenkins Script Security Plugin
Default Status
unaffected
Versions
Affected
  • From 0 through 1402.v94c9ce464861 (maven)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3793
vendor-advisory
Hyperlink: https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3793
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-693CWE-693 Protection Mechanism Failure
CWECWE-93CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Type: CWE
CWE ID: CWE-693
Description: CWE-693 Protection Mechanism Failure
Type: CWE
CWE ID: CWE-93
Description: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
2. jenkins-script-security-plugin: Jenkins Script Security Plugin: Arbitrary code execution outside sandbox

A flaw was found in the Jenkins Script Security Plugin. Attackers with the ability to run sandboxed Groovy scripts can exploit this vulnerability to execute arbitrary code outside the sandbox environment. This is due to the plugin's failure to reject Groovy Abstract Syntax Tree (AST) transformation annotations that include an extensions member, allowing unauthorized script execution if a suitable script exists on the classpath.

Affected Products
Vendor
Red Hat, Inc.Red Hat
Product
OpenShift Developer Tools and Services
CPEs
  • cpe:/a:redhat:ocp_tools
Default Status
affected
Problem Types
TypeCWE IDDescription
CWECWE-917Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Type: CWE
CWE ID: CWE-917
Description: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Metrics
VersionBase scoreBase severityVector
3.18.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 8.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Red Hat severity rating
value:
Important
namespace:
https://access.redhat.com/security/updates/classification/
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Exploits

Credits

Timeline
EventDate
Reported to Red Hat.2026-06-24 14:02:12
Made public.2026-06-24 13:20:04
Event: Reported to Red Hat.
Date: 2026-06-24 14:02:12
Event: Made public.
Date: 2026-06-24 13:20:04
Replaced By

Rejected Reason

References
HyperlinkResource
https://access.redhat.com/security/cve/CVE-2026-57281
vdb-entry
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2492200
issue-tracking
x_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-57281.json
x_sadp-csaf-vex
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-57281
Resource:
vdb-entry
x_refsource_REDHAT
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2492200
Resource:
issue-tracking
x_refsource_REDHAT
Hyperlink: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-57281.json
Resource:
x_sadp-csaf-vex
Details not found