CVE Catalog

CVE-2026-57301

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.42%

34th percentile — higher than 34% of all known CVEs

Summary

Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller.

Risk Assessment

The risk involves potential takeover of the Jenkins controller by an attacker with only Item/Configure permissions, which could compromise the confidentiality, integrity, and availability of the system.

Recommendation

It is recommended to immediately update the OWASP ZAP plugin to a version newer than 1.0.7, or if no patch is available, temporarily disable the plugin or restrict Item/Configure permissions to trusted users only.

Original NVD description (English source)

Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS