CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Jenkins security advisory (AV26-629)

unknown
Serial number: AV26-629 Date: June 24, 2026 On June 24, 2026, Jenkins published a security advisory to address vulnerabilities in the following products: Assembla Plugin – versions prior to 1.4 External Workspace Manager Plugin – versions prior to 1.3.2 OWASP ZAP Plugin – versions prior to 1.0.7 Script Security Plugin – versions prior to 1402.v94c9ce464861 The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates. XXE vulnerability in Assembla Plugin Path traversal vulnerability in External Workspace Manager Plugin Builds executed on the Jenkins controller by OWASP ZAP Plugin can lead to RCE Script security bypass vulnerability in Script Security Plugin Sandbox bypass vulnerability in Script Security Plugin Jenkins Security Advisories

CSIRTS triage

What
Multiple vulnerabilities including XXE, path traversal, and remote code execution.
Who is affected
Users of Jenkins and its plugins.
Urgency
Remediation is urgent due to the potential for remote code execution and other vulnerabilities.
Action
Update affected plugins to the latest versions.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch Jenkins

Get an email when a new Jenkins advisory drops — max one per day, one-click unsubscribe.

Details

Source
Canadian Centre for Cyber Security (CA · national-cert · site)
Severity
unknown
Published
2026-06-24
Exploitation
Not in CISA KEV at last sync

Original advisory: https://cyber.gc.ca/en/alerts-advisories/jenkins-security-advisory-av26-629

More from Canadian Centre for Cyber Security