In Script Security Plugin component for Jenkins versions 1402.v94c9ce464861 and earlier a high severity vulnerability CVE-2026-57280 was detected. This vulnerability allows attackers to bypass sandbox protection. To address this issue, users should upgrade Script Security Plugin to version 1402.1405.vc96e74964250 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-57280.
Read more Developer ToolsIn Script Security Plugin component for Jenkins versions 1402.v94c9ce464861 and earlier a high severity vulnerability CVE-2026-57281 was detected. This vulnerability allows attackers to execute code outside the sandbox. To address this issue, users should upgrade Script Security Plugin to version 1402.1405.vc96e74964250 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-57281.
Read more Developer ToolsIn Git client Plugin component for Jenkins versions 6.6.0 and earlier a medium severity vulnerability CVE-2026-57282 was detected. This vulnerability allows attackers who can control the name of a build’s working directory to execute arbitrary operating system commands on the agent. To address this issue, users should upgrade Git client Plugin to version 6.6.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-57282.
Read more Developer ToolsIn Pipeline: Groovy Plugin component for Jenkins versions 4331.v9d06ed4658ff and earlier a medium severity vulnerability CVE-2026-57283 was detected. This vulnerability allows attackers to instantiate unauthorized types through the Pipeline Snippet Generator. To address this issue, users should upgrade Pipeline: Groovy Plugin to version 4331.4333.v50a_b_076c5199 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-57283.
Read more Developer ToolsIn Pipeline: Groovy Plugin component for Jenkins versions 4331.v9d06ed4658ff and earlier a medium severity vulnerability CVE-2026-57284 was detected. This vulnerability allows attackers to instantiate restricted types related to job or system configuration. There’s no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-57284.
Read more Developer ToolsIn Plane versions before 12.128.2 a high severity vulnerability CVE-2026-56243 was detected. This vulnerability allows attackers to bypass organization-level hashed API key enforcement by sending plaintext API keys in the capgkey header to the PostgREST/RLS plane to access protected resources. To address this issue, users should upgrade Plane to version 12.128.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-56243.
Read more Developer ToolsIn Helm versions 4.0.0 to before 4.1.4 a high severity vulnerability CVE-2026-35205 was detected. This vulnerability allows an attacker to bypass plugin signature verification, potentially leading to the installation of untrusted or malicious code. This occurs because the Helm plugin verification mechanism “fails open” when a provenance (.prov) file is missing, even if signature verification is explicitly required by the user’s configuration. By deliberately omitting the .prov file, a malicious actor can force Helm to successfully install an unsigned plugin without raising a security error. To address this issue, users should upgrade Helm to version 4.1.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-35205.
In Helm versions 4.0.0 to before 4.1.4 a high severity vulnerability CVE-2026-35204 was detected. This vulnerability allows an attacker to write the contents of a plugin to arbitrary filesystem locations outside the designated Helm plugin directory. This occurs due to a path traversal flaw when installing or updating a specially crafted Helm plugin. If the version field within the plugin’s plugin.yaml file contains POSIX dot-dot path separators (e.g., /../), Helm fails to properly sanitize the path before writing files. To address this issue, users should upgrade Helm to version 4.1.4 or later. As a temporary workaround, users can manually validate that the plugin.yaml of any Helm plugin does not include path separators in the version field before installation. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-35204.
In Gogs versions prior to 0.14.3 a critical severity vulnerability CVE-2026-52811 was detected. This vulnerability allows an authenticated attacker with repository write access to write files outside the repository working tree, potentially leading to Remote Code Execution (RCE) or unauthorized SSH access. This occurs due to improper symlink validation in the UploadRepoFiles function, which only checks for symlinks at the leaf of the upload target rather than evaluating the entire path. By committing a parent directory symlink and then crafting a multipart upload with a filename containing a literal backslash (which gets converted to a directory separator), an attacker can redirect the file write through the symlink. Because the system opens the destination without preventing symlink following (missing O_NOFOLLOW), the attacker can overwrite sensitive files anywhere the gogs user has write permissions, such as ~git/.ssh/authorized_keys for SSH access or <repo>.git/hooks/post-receive for RCE on the next push. To address this issue, users should upgrade Gogs to version 0.14.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-52811.