CVE-2026-33001

HIGH

Jenkins <=2.541.2 - Path Traversal

Title source: llm

Description

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.

References (1)

[Vendor Advisory] https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657

Scores

CVSS v3 8.8

EPSS 0.0014

EPSS Percentile 33.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-59

Status published

Products (5)

jenkins/jenkins < 2.541.3

jenkins/jenkins < 2.555

Jenkins Project/Jenkins 2.541.3 - 2.541.*

Jenkins Project/Jenkins 2.555

org.jenkins-ci.main/jenkins-core 0 - 2.555Maven

Published Mar 18, 2026

Tracked Since Mar 18, 2026