cbcvebase.
CVE-2026-57296
published 2026-06-24

CVE-2026-57296: Jenkins External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided to the exwsAllocate…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.60%
44.0th percentile
Jenkins External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided to the exwsAllocate Pipeline step, allowing attackers with Item/Configure permission to read arbitrary files on the Jenkins controller file system, which can lead to remote code execution.

Affected

40 ranges· showing 25
VendorProductVersion rangeFixed in
jenkinsactive_directory
jenkinsactive_directory_plugin
jenkinsassembla
jenkinsassembla_plugin
jenkinsbitbucket_push_and_pull_request
jenkinsbitbucket_push_and_pull_request_plugin
jenkinscontrast_continuous_application_security
jenkinscontrast_continuous_application_security_plugin
jenkinsec2_fleet
jenkinsec2_fleet_plugin
jenkinsexternal_workspace_manager
jenkinsexternal_workspace_manager_plugin
jenkinsfitnesse
jenkinsfitnesse_plugin
jenkinsgit_client
jenkinsgit_client_plugin
jenkinsgit_parameter
jenkinsgit_parameter_plugin
jenkinsgitee
jenkinsgitee_plugin
jenkinsgithub_branch_source
jenkinsgithub_branch_source_plugin
jenkinsgroovy
jenkinsgroovy_plugin
jenkinsjenkins_controller_by_owasp_zap
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.