ON June 24, 2026, Jenkins released a security advisory highlighting 22 vulnerabilities across 18 plugins, some of which could lead to remote code execution (RCE) on the Jenkins controller. Key vulnerabilities include a sandbox bypass in the Script Security Plugin (CVE-2026-57281) and flaws in the External Workspace Manager Plugin (CVE-2026-57296) that allow file reads and potential escalation to code execution.
Although most issues can be patched, five vulnerabilities lack fixes, and there have been no reported active exploitations yet. Users are advised to update affected plugins quickly and restrict access to those that remain unpatched.