Jenkins security advisory (AV26-629)
Serial number: AV26-629 Date: June 24, 2026 On June 24, 2026, Jenkins published a security advisory to address vulnerabilities in the following products: Assembla Plugin – versions prior to 1.4 External Workspace Manager Plugin – versions prior to 1.3.2 OWASP ZAP Plugin – versions prior to 1.0.7 Script Security Plugin – versions prior to 1402.v94c9ce464861 The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates. XXE vulnerability in Assembla Plugin Path traversal vulnerability in External Workspace Manager Plugin Builds executed on the Jenkins controller by OWASP ZAP Plugin can lead to RCE Script security bypass vulnerability in Script Security Plugin Sandbox bypass vulnerability in Script Security Plugin Jenkins Security Advisories
CSIRTS triage
- What
- Multiple vulnerabilities including XXE, path traversal, and remote code execution.
- Who is affected
- Users of Jenkins and its plugins.
- Urgency
- Remediation is urgent due to the potential for remote code execution and other vulnerabilities.
- Action
- Update affected plugins to the latest versions.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Jenkins
Get an email when a new Jenkins advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://cyber.gc.ca/en/alerts-advisories/jenkins-security-advisory-av26-629
More from Canadian Centre for Cyber Security
- unknownBitWarden security advisory (AV26-683)2026-07-10
- criticalAL25-007 - Vulnerability impacting Roundcube Webmail – CVE-2025-49113 – Update 12026-07-10
- unknownMicrosoft Edge security advisory (AV26-682)2026-07-10
- criticalBroadcom VMware security advisory (AV26-681)2026-07-10
- unknownDjango security advisory (AV26-084) – Update 12026-07-09