Jenkins Security Update Patches Sandbox Bypass, Command Injection, and CSRF Bugs
ID: a3d5d6f1-0cda-5265-9a3f-bb8b49edc6e4
STIX ID: report--a3d5d6f1-0cda-5265-9a3f-bb8b49edc6e4
Feed Name: Cyber Press
Jenkins published an advisory (June 24, 2026) disclosing 26 vulnerabilities across 18 plugins, including critical Groovy sandbox bypasses (CVE-2026-57280, CVE-2026-57281) enabling arbitrary code execution on controllers, path-traversal (External Workspace Manager), shell injection via SSH wrapper generation (Git client), multiple CSRF and permission-check failures across plugins, LDAP injection, XXE, and plaintext credential storage; administrators are urged to update affected plugins and consider disabling plugins without fixes (Assembla, FitNesse, OWASP ZAP, Zowe).
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
