Groovy AST Transformation Vulnerability in Jenkins Script Security Plugin
CVE-2026-57281
7.5HIGH
What is CVE-2026-57281?
The Jenkins Script Security Plugin, specifically versions 1402.v94c9ce464861 and earlier, is susceptible to a vulnerability that allows attackers to execute code outside of the intended sandbox environment. This occurs when Groovy scripts capable of using AST transformation annotations with an extensions member are evaluated. If such a script is present within the classpath, malicious users can exploit this flaw to execute unauthorized commands, thereby compromising the integrity of the Jenkins application.
Affected Version(s)
Jenkins Script Security Plugin 0 <= 1402.v94c9ce464861