logo

Jenkins Security Update Patches Sandbox Bypass, Command Injection, and CSRF Bugs

ID: a3d5d6f1-0cda-5265-9a3f-bb8b49edc6e4

STIX ID: report--a3d5d6f1-0cda-5265-9a3f-bb8b49edc6e4

Feed Name: Cyber Press

Threat Score
70/100

Date Published: 2026-06-25

Date Updated: 2026-06-26

Author: Lucas Martin

...
...

Jenkins published an advisory (June 24, 2026) disclosing 26 vulnerabilities across 18 plugins, including critical Groovy sandbox bypasses (CVE-2026-57280, CVE-2026-57281) enabling arbitrary code execution on controllers, path-traversal (External Workspace Manager), shell injection via SSH wrapper generation (Git client), multiple CSRF and permission-check failures across plugins, LDAP injection, XXE, and plaintext credential storage; administrators are urged to update affected plugins and consider disabling plugins without fixes (Assembla, FitNesse, OWASP ZAP, Zowe).

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.