CVE-2026-48920
published 2026-05-27CVE-2026-48920: Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute…
high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute, without restrictions on the image URLs that can be inlined, allowing attackers able to control the email content to specify `file:` URLs for images to read arbitrary files from the Jenkins controller filesystem.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | active_directory | — | — |
| jenkins | active_directory_plugin | — | — |
| jenkins | appspider | — | — |
| jenkins | appspider_plugin | — | — |
| jenkins | bitbucket_oauth | — | — |
| jenkins | bitbucket_oauth_plugin | — | — |
| jenkins | credentials_binding | — | — |
| jenkins | credentials_binding_plugin | — | — |
| jenkins | email_extension | <= 1925.v1598902b_58dd | — |
| jenkins | email_extension | — | — |
| jenkins | email_extension | — | — |
| jenkins | email_extension_plugin | — | — |
| jenkins | github_integration | — | — |
| jenkins | github_integration_plugin | — | — |
| jenkins | groovy_libraries | — | — |
| jenkins | groovy_libraries_plugin | — | — |
| jenkins | job_import | — | — |
| jenkins | job_import_plugin | — | — |
| jenkins | ldap | — | — |
| jenkins | ldap_plugin | — | — |
| jenkins | ldap_referrals_in_active_directory | — | — |
| jenkins | ldap_referrals_in_active_directory_plugin | — | — |
| jenkins | multijob | — | — |
| jenkins | multijob_plugin | — | — |
| jenkins_project | jenkins_email_extension_plugin | <= 1933.v45cec755423f | — |