CVE-2026-48922
published 2026-05-27CVE-2026-48922: Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers…
high7.5CVSS 3.1
AVNACHPRLUINSUCHIHAH
Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | active_directory | — | — |
| jenkins | active_directory_plugin | — | — |
| jenkins | appspider | — | — |
| jenkins | appspider_plugin | — | — |
| jenkins | bitbucket_oauth | — | — |
| jenkins | bitbucket_oauth_plugin | — | — |
| jenkins | credentials_binding | < 725.ve52b_2328a_fde | 725.ve52b_2328a_fde |
| jenkins | credentials_binding | — | — |
| jenkins | credentials_binding_plugin | — | — |
| jenkins | email_extension | — | — |
| jenkins | email_extension_plugin | — | — |
| jenkins | github_integration | — | — |
| jenkins | github_integration_plugin | — | — |
| jenkins | groovy_libraries | — | — |
| jenkins | groovy_libraries_plugin | — | — |
| jenkins | job_import | — | — |
| jenkins | job_import_plugin | — | — |
| jenkins | ldap | — | — |
| jenkins | ldap_plugin | — | — |
| jenkins | ldap_referrals_in_active_directory | — | — |
| jenkins | ldap_referrals_in_active_directory_plugin | — | — |
| jenkins | multijob | — | — |
| jenkins | multijob_plugin | — | — |
| jenkins_project | jenkins_credentials_binding_plugin | <= 720.v3f6decef43ea_ | — |