CVE-2026-48920
Published: 27 May 2026
Summary
CVE-2026-48920 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Jenkins Email Extension. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Rejects externally supplied file or resource identifiers that fail validity checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file read via file: URLs directly enables collection of data from the local Jenkins controller filesystem.
NVD Description
Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute, without restrictions on the image URLs that can be inlined, allowing attackers able to control the email content to specify…
more
`file:` URLs for images to read arbitrary files from the Jenkins controller filesystem.
Deeper analysisAI
Automated synthesis unavailable for this CVE.
Details
- CWE(s)
- OWASP Top 10 Web 2025
Affected Products
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-32511