CVE-2026-57296

CVSS 8.8 HIGHEPSS 0.6%CWE-22

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.8EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

24 Jun 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Jenkins External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided to the exwsAllocate Pipeline step, allowing attackers with Item/Configure permission to read arbitrary files on the Jenkins controller file system, which can lead to remote code execution.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

Jenkins Project · Jenkins External Workspace Manager Plugin

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3777