Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-42520EXPLOITEDPATCHED

jenkins · credentials binding plugin

CVE-2026-42520: Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file cre

Description

Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.

Affected Products

Vendor	Product	Versions
jenkins	credentials binding plugin	0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
jenkins	jenkins	cert_advisory	90%

References

https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3672(vendor-advisory)

Related News (2 articles)

Tier B

BSI Advisories27d ago

[NEU] [hoch] Jenkins Plugins: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

VulDB28d ago

CVE-2026-42520 | Jenkins Credentials Binding Plugin up to 719.v80e905ef14eb_ privilege escalation

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3672

PublishedApr 29, 2026

Last enriched28d agov2

Trending Score1

Source articles2

Independent2

Info Completeness7/14

Missing: cvss, epss, cwe, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

Multiple Vulnerabilities in Jenkins Plugins

HIGHCVE-2026-42524EXP

CVE-2026-42524: Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in

CRITICALCVE-2026-42523EXP

CVE-2026-42523: Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing val

HIGHCVE-2026-33002

Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected

MEDIUMCVE-2026-33003

Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 29, 2026

Discovered by ZDM

Apr 29, 2026

Updated: severity, activelyExploited

Apr 29, 2026

Actively Exploited

Apr 29, 2026

Patch Available

Apr 29, 2026

Version History

v2

Last enriched 28d ago

v2Tier C28d ago

Updated severity to CRITICAL and marked the vulnerability as actively exploited.

severityactivelyExploited

via VulDB

v128d ago

Initial creation