CVE-2026-42520
published 2026-04-29CVE-2026-42520: Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to…
high7.5CVSS 3.1
AVNACHPRLUINSUCHIHAH
Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | credentials_binding | <= 719.v80e905ef14eb | — |
| jenkins | credentials_binding | — | — |
| jenkins | credentials_binding_plugin | — | — |
| jenkins | github | — | — |
| jenkins | github_branch_source | — | — |
| jenkins | github_branch_source_plugin | — | — |
| jenkins | github_plugin | — | — |
| jenkins | html_publisher | — | — |
| jenkins | html_publisher_plugin | — | — |
| jenkins | matrix_authorization_strategy | — | — |
| jenkins | matrix_authorization_strategy_plugin | — | — |
| jenkins | script_security | — | — |
| jenkins | script_security_plugin | — | — |
| jenkins_project | jenkins_credentials_binding_plugin | <= 719.v80e905ef14eb_ | — |