Image Inlining Vulnerability in Jenkins Email Extension Plugin by Jenkins
CVE-2026-48920

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Email Extension Plugin
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-48920?

The Jenkins Email Extension Plugin prior to version 1934 allows for the inlining of images as base64 in email content. This feature can be exploited through the data-inline attribute, which does not impose restrictions on the image URLs that can be inlined. As a result, attackers with control over the email content can issue file: URLs, granting them access to read arbitrary files from the Jenkins controller filesystem. This presents a significant security risk, as sensitive information may be exposed to unauthorized parties.

Affected Version(s)

Jenkins Email Extension Plugin 0 <= 1933.v45cec755423f

References

https://www.jenkins.io/security/advisory/2026-05-27/#SECU...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 26, 2026

CVE-2026-48920 Data

JSON