CVE-2026-42520

HIGH 7.5

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.

Vendor	jenkins project
Product	jenkins credentials binding plugin
Published	Apr 29, 2026
Last Updated	Apr 29, 2026

Stay Ahead of the Next One

Get instant alerts for jenkins project jenkins credentials binding plugin

Be the first to know when new high vulnerabilities affecting jenkins project jenkins credentials binding plugin are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Jenkins Project / Jenkins Credentials Binding Plugin

0 ≤ 719.v80e905ef14eb_

References

NVD ↗ CVE.org ↗ EPSS Data ↗

jenkins.io: https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3672