{"id":"CVE-2026-48922","details":"Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.","aliases":["GHSA-fxxf-w25w-mcx2"],"modified":"2026-07-15T06:10:05.300329Z","published":"2026-05-27T15:16:31.847Z","references":[{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3790"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/credentials-binding-plugin","events":[{"introduced":"0"},{"fixed":"e52b2328afdebcb69852687392fde94b174eaec4"}],"database_specific":{"cpe":"cpe:2.3:a:jenkins:credentials_binding:*:*:*:*:*:jenkins:*:*","extracted_events":[{"introduced":"0"},{"fixed":"725.ve52b_2328a_fde"}],"source":"CPE_RANGE"}}],"versions":["720.v3f6decef43ea_","719.v80e905ef14eb_","717.v951d49b_5f3a_a_","702.vfe613e537e88","696.v256688029804","687.v619cb_15e923f","681.vf91669a_32e45","679.v6288482e873c","677.vdc9d38cb_254d","657.v2b_19db_7d6e6d","642.v737c34dea_6c2","636.v55f1275c7b_27","631.v861c06d062b_4","626.v8d9034b_8ea_cc","621.v58c0fb_d285a_c","604.vb_64480b_c56ca_","523.vd859a_4b_122e6","credentials-binding-1.27","credentials-binding-1.26","credentials-binding-1.25","credentials-binding-1.24","credentials-binding-1.23","credentials-binding-1.22","credentials-binding-1.21","credentials-binding-1.20","credentials-binding-1.19","credentials-binding-1.18","credentials-binding-1.17","credentials-binding-1.16","credentials-binding-1.15","credentials-binding-1.14","credentials-binding-1.13","credentials-binding-1.12","credentials-binding-1.11","credentials-binding-1.10","credentials-binding-1.9","credentials-binding-1.8","credentials-binding-1.7","credentials-binding-1.6","credentials-binding-1.5","credentials-binding-1.4","credentials-binding-1.3","credentials-binding-1.2","credentials-binding-1.1","credentials-binding-1.0","credentials-binding-1.0-beta-1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48922.json","vanir_signatures_modified":"2026-07-15T06:10:05Z","vanir_signatures":[{"deprecated":false,"digest":{"line_hashes":["283660994997888405768199147020961668954","15855581707764508958002099614103293276","330732045090305727294702774515370538817","93316226126330783940200223441381298433"],"threshold":0.9},"id":"CVE-2026-48922-59e005d5","signature_type":"Line","signature_version":"v1","source":"https://github.com/jenkinsci/credentials-binding-plugin/commit/e52b2328afdebcb69852687392fde94b174eaec4","target":{"file":"src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/FileBinding.java"}},{"target":{"file":"src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/FileBinding.java","function":"write"},"deprecated":false,"digest":{"function_hash":"54927892099451988298524109991504126850","length":277},"id":"CVE-2026-48922-5bb86107","signature_type":"Function","signature_version":"v1","source":"https://github.com/jenkinsci/credentials-binding-plugin/commit/e52b2328afdebcb69852687392fde94b174eaec4"},{"deprecated":false,"digest":{"function_hash":"195038947790412657062521144976539978095","length":277},"id":"CVE-2026-48922-86de94cb","signature_type":"Function","signature_version":"v1","source":"https://github.com/jenkinsci/credentials-binding-plugin/commit/e52b2328afdebcb69852687392fde94b174eaec4","target":{"file":"src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/ZipFileBinding.java","function":"write"}},{"id":"CVE-2026-48922-cccc5f9c","signature_type":"Line","signature_version":"v1","source":"https://github.com/jenkinsci/credentials-binding-plugin/commit/e52b2328afdebcb69852687392fde94b174eaec4","target":{"file":"src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/ZipFileBinding.java"},"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["283660994997888405768199147020961668954","15855581707764508958002099614103293276","78316376180200344807500284930581927249","155587145842520603649964638249945931511"]}},{"deprecated":false,"digest":{"line_hashes":["1767505516840155050236542239488810681","266820379255261441490380393376870958390","244299128633468332403507263872305189252","220487582766312408480422522542664515624","234296419679755238253450819801040691742","267318703204051511977550572964312237579","26693008279118337373701682075747344426","155292940623917241115018024171098530642","266953341949812537367165591733567384505","131811147344513303390766550340312156807","272319848610685935508124550793282959999"],"threshold":0.9},"id":"CVE-2026-48922-ddcc3145","signature_type":"Line","signature_version":"v1","source":"https://github.com/jenkinsci/credentials-binding-plugin/commit/e52b2328afdebcb69852687392fde94b174eaec4","target":{"file":"src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/Security3672Test.java"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}