{"api_version":"1","generated_at":"2026-06-24T18:01:52+00:00","cve":"CVE-2026-57281","urls":{"html":"https://cve.report/CVE-2026-57281","api":"https://cve.report/api/cve/CVE-2026-57281.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-57281","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-57281"},"summary":{"title":"CVE-2026-57281","description":"Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.","state":"PUBLISHED","assigner":"jenkins","published_at":"2026-06-24 14:17:34","updated_at":"2026-06-24 15:16:43"},"problem_types":["CWE-93","CWE-693","CWE-693 CWE-693 Protection Mechanism Failure","CWE-93 CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}}],"references":[{"url":"https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3793","name":"https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3793","refsource":"jenkinsci-cert@googlegroups.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-57281","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-57281","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Jenkins Project","product":"Jenkins Script Security Plugin","version":"affected 1402.v94c9ce464861 maven","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-57281","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-06-24T13:56:13.318314Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-693","description":"CWE-693 Protection Mechanism Failure","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-93","description":"CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-24T13:56:59.301Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Jenkins Script Security Plugin","vendor":"Jenkins Project","versions":[{"lessThanOrEqual":"1402.v94c9ce464861","status":"affected","version":"0","versionType":"maven"}]}],"descriptions":[{"lang":"en","value":"Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script."}],"providerMetadata":{"dateUpdated":"2026-06-24T13:20:04.648Z","orgId":"39769cd5-e6e2-4dc8-927e-97b3aa056f5b","shortName":"jenkins"},"references":[{"name":"Jenkins Security Advisory 2026-06-24","tags":["vendor-advisory"],"url":"https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3793"}]}},"cveMetadata":{"assignerOrgId":"39769cd5-e6e2-4dc8-927e-97b3aa056f5b","assignerShortName":"jenkins","cveId":"CVE-2026-57281","datePublished":"2026-06-24T13:20:04.648Z","dateReserved":"2026-06-24T08:41:44.357Z","dateUpdated":"2026-06-24T13:56:59.301Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-24 14:17:34","lastModifiedDate":"2026-06-24 15:16:43","problem_types":["CWE-93","CWE-693","CWE-693 CWE-693 Protection Mechanism Failure","CWE-93 CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-24T13:56:13.318314Z","id":"CVE-2026-57281","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"57281","Ordinal":"1","Title":"CVE-2026-57281","CVE":"CVE-2026-57281","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"57281","Ordinal":"1","NoteData":"Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.","Type":"Description","Title":"CVE-2026-57281"}]}}}