diff --git a/jenkins-plugin-cli.sh b/jenkins-plugin-cli.sh
index 2633ce15..c3030515 100755
--- a/jenkins-plugin-cli.sh
+++ b/jenkins-plugin-cli.sh
@@ -1,3 +1,9 @@
 #!/bin/bash
 
-exec /bin/bash -c "java $JAVA_OPTS -jar /opt/jenkins-plugin-manager.jar $*"
+# read JAVA_OPTS into array to avoid need for eval (and associated vulnerabilities)
+java_opts_array=()
+while IFS= read -r -d '' item; do
+	java_opts_array+=( "$item" )
+done < <([[ $JAVA_OPTS ]] && xargs printf '%s\0' <<<"$JAVA_OPTS")
+
+exec java "${java_opts_array[@]}" -jar /opt/jenkins-plugin-manager.jar "$@"