CVE-2026-48920HIGHCVSS 8.8

Jenkins Email Extension Plugin: Attackers able to control email content may specify `file:` URLs for images to read arbitrary files from Jenkins controller filesystem

Published May 27, 2026·Updated Jul 1, 2026

Description

Jenkins Email Extension Plugin 1933.v45cec755423f and earlier includes a feature that allows inlining images as `base64` in email content by setting the `data-inline` attribute. No restrictions are placed on the image URLs that can be inlined. This allows attackers able to control the email content to specify `file:` URLs for images to read arbitrary files from the Jenkins controller filesystem. The feature allowing inlining images as `base64` in email content by setting the `data-inline` attribute is removed from Email Extension Plugin 1933.1935.v276319e3cc47.

Affected Packages (1)

org.jenkins-ci.plugins:email-extMAVEN
Fixed in 1933.1935.v276319e3cc47

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free