CVE-2026-33001
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.
| Vendor | jenkins project |
| Product | jenkins |
| Ecosystems | |
| Industries | Technology |
| Published | Mar 18, 2026 |
| Last Updated | Mar 19, 2026 |
Stay Ahead of the Next One
Get instant alerts for jenkins project jenkins
Be the first to know when new high vulnerabilities affecting jenkins project jenkins are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Jenkins Project / Jenkins
All versions affected