CVE-2026-42520
Jenkins Credentials Binding Plugin has a path traversal vulnerability
Description
Jenkins Credentials Binding Plugin versions 719.v80e905ef14eb_ and earlier do not sanitize file names for file and zip file credentials. This allows attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem. If Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node, this can lead to remote code execution. Credentials Binding Plugin 720.v3f6decef43ea_ sanitizes the file name provided for file and zip file credentials, preventing path traversal.
How to fix CVE-2026-42520
To remediate CVE-2026-42520, upgrade the affected package to a fixed version below.
- —upgrade to 720.v3f6decef43ea or later
Is CVE-2026-42520 being exploited?
Low — EPSS is 2.7%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 720.v3f6decef43ea
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |