CVE-2026-57282

MEDIUM NVD

CVSS Score 5

Severity MEDIUM

Published Jun 24, 2026

Vendor unknown

Description

Jenkins Git client Plugin 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into a generated SSH wrapper script, allowing attackers able to control the name of a build's working directory to execute arbitrary operating system commands on the agent.

References

https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3723