CVE-2026-48921
published 2026-05-27CVE-2026-48921: Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to…
high7.5CVSS 3.1
AVNACHPRLUINSUCHIHAH
Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | active_directory | — | — |
| jenkins | active_directory_plugin | — | — |
| jenkins | appspider | — | — |
| jenkins | appspider_plugin | — | — |
| jenkins | bitbucket_oauth | — | — |
| jenkins | bitbucket_oauth_plugin | — | — |
| jenkins | credentials_binding | — | — |
| jenkins | credentials_binding_plugin | — | — |
| jenkins | email_extension | — | — |
| jenkins | email_extension_plugin | — | — |
| jenkins | github_integration | — | — |
| jenkins | github_integration_plugin | — | — |
| jenkins | groovy_libraries | — | — |
| jenkins | groovy_libraries_plugin | — | — |
| jenkins | job_import | — | — |
| jenkins | job_import_plugin | — | — |
| jenkins | ldap | — | — |
| jenkins | ldap_plugin | — | — |
| jenkins | ldap_referrals_in_active_directory | — | — |
| jenkins | ldap_referrals_in_active_directory_plugin | — | — |
| jenkins | multijob | — | — |
| jenkins | multijob_plugin | — | — |
| jenkins | pipeline | < 798.v5cc688825312 | 798.v5cc688825312 |
| jenkins_project | jenkins_pipeline_groovy_libraries_plugin | <= 797.v90ea_a_9b_e45a_0 | — |