Cyber Resilience

CVE-2026-48921

High

Published: 27 May 2026

Published
27 May 2026
Modified
28 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0030 21.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-48921 is a high-severity Link Following (CWE-59) vulnerability in Jenkins Pipeline\. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Vulnerability enables arbitrary file read on controller via symlink following in shared libraries.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-48920Same vendor: Jenkins
CVE-2026-33001Same vendor: Jenkins
CVE-2026-9804Shared CWE-59
CVE-2025-24103Shared CWE-59
CVE-2026-41882Shared CWE-59
CVE-2026-42520Same vendor: Jenkins
CVE-2026-32024Shared CWE-59
CVE-2026-31894Shared CWE-59
CVE-2025-0377Shared CWE-59
CVE-2026-48922Same vendor: Jenkins

Affected Assets

jenkins
pipeline\
_groovy_libraries

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References