CVE-2026-57301
Analyzed
Analyzed - Analysis Complete
Jenkins Controller Code Execution in OWASP ZAP Plugin
Vulnerability report for CVE-2026-57301, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-24
Last updated on: 2026-06-26
Assigner: Jenkins Project
Description
Description
Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jenkins | official_owasp_zap | to 1.0.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-610 | The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. |