Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply JEP-200 deserialization protection to Java objects it deserializes from disk.
This results in a remote code execution (RCE) vulnerability exploitable by attackers able to control agent processes.
Jenkins Code Coverage API Plugin 1.4.1 configures its Java object deserialization to only deserialize safe types.