Jenkins Email Extension Plugin Base64 Image Inlining Enables File Access
CVE-2026-48920 Published on May 27, 2026
Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute, without restrictions on the image URLs that can be inlined, allowing attackers able to control the email content to specify `file:` URLs for images to read arbitrary files from the Jenkins controller filesystem.
Vulnerability Analysis
CVE-2026-48920 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
External Control of File Name or Path
The software allows user input to control or influence paths or file names that are used in filesystem operations.
Products Associated with CVE-2026-48920
Want to know whenever a new CVE is published for Jenkins? stack.watch will email you.
Affected Versions
Jenkins Project Jenkins Email Extension Plugin:- Before and including 1933.v45cec755423f is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.