{"api_version":"1","generated_at":"2026-07-09T16:05:24+00:00","cve":"CVE-2026-33001","urls":{"html":"https://cve.report/CVE-2026-33001","api":"https://cve.report/api/cve/CVE-2026-33001.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-33001","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-33001"},"summary":{"title":"CVE-2026-33001","description":"Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.\nThis can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.","state":"PUBLISHED","assigner":"jenkins","published_at":"2026-03-18 16:16:28","updated_at":"2026-06-30 03:18:35"},"problem_types":["CWE-59","CWE-22","CWE-59 CWE-59 Improper Link Resolution Before File Access ('Link Following')","CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"ADP","type":"CVSS","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:10205","name":"https://access.redhat.com/errata/RHSA-2026:10205","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-33001","name":"https://access.redhat.com/security/cve/CVE-2026-33001","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33001.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33001.json","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:10215","name":"https://access.redhat.com/errata/RHSA-2026:10215","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657","name":"https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657","refsource":"jenkinsci-cert@googlegroups.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:10199","name":"https://access.redhat.com/errata/RHSA-2026:10199","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:10209","name":"https://access.redhat.com/errata/RHSA-2026:10209","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:10206","name":"https://access.redhat.com/errata/RHSA-2026:10206","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:10211","name":"https://access.redhat.com/errata/RHSA-2026:10211","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:10214","name":"https://access.redhat.com/errata/RHSA-2026:10214","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:10213","name":"https://access.redhat.com/errata/RHSA-2026:10213","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:10204","name":"https://access.redhat.com/errata/RHSA-2026:10204","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:10201","name":"https://access.redhat.com/errata/RHSA-2026:10201","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2448645","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2448645","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-33001","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33001","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Jenkins Project","product":"Jenkins","version":"unaffected 2.555 * maven","platforms":[]},{"source":"CNA","vendor":"Jenkins Project","product":"Jenkins","version":"unaffected 2.541.3 2.541.* maven","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"OpenShift Developer Tools and Services 4.12","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"OpenShift Developer Tools and Services 4.13","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"OpenShift Developer Tools and Services 4.14","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"OpenShift Developer Tools and Services 4.15","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"OpenShift Developer Tools and Services 4.16","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"OpenShift Developer Tools and Services 4.17","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"OpenShift Developer Tools and Services 4.18","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"OpenShift Developer Tools and Services 4.19","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"OpenShift Developer Tools and Services 4.21","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"OpenShift Developer Tools and Services 4.2","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Developer Hub","version":"","platforms":[]}],"timeline":[{"source":"ADP","time":"2026-03-18T16:02:14.310Z","lang":"en","value":"Reported to Red Hat."},{"source":"ADP","time":"2026-03-18T15:15:23.950Z","lang":"en","value":"Made public."}],"solutions":[{"source":"ADP","title":"","value":"RHSA-2026:10209: OpenShift Developer Tools and Services 4.12","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:10201: OpenShift Developer Tools and Services 4.13","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:10211: OpenShift Developer Tools and Services 4.14","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:10204: OpenShift Developer Tools and Services 4.15","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:10214: OpenShift Developer Tools and Services 4.16","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:10213: OpenShift Developer Tools and Services 4.17","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:10215: OpenShift Developer Tools and Services 4.18","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:10206: OpenShift Developer Tools and Services 4.19","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:10199: OpenShift Developer Tools and Services 4.21","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:10205: OpenShift Developer Tools and Services 4.2","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"33001","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"jenkins","cpe5":"jenkins","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"33001","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"jenkins","cpe5":"jenkins","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"33001","cve":"CVE-2026-33001","epss":"0.011610000","percentile":"0.632810000","score_date":"2026-07-02","updated_at":"2026-07-03 00:06:15"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-33001","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-03-19T03:55:23.659873Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-59","description":"CWE-59 Improper Link Resolution Before File Access ('Link Following')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-03-19T12:58:23.233Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"cpes":["cpe:/a:redhat:ocp_tools:4.12::el8"],"defaultStatus":"affected","product":"OpenShift Developer Tools and Services 4.12","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ocp_tools:4.13::el8"],"defaultStatus":"affected","product":"OpenShift Developer Tools and Services 4.13","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ocp_tools:4.14::el8"],"defaultStatus":"affected","product":"OpenShift Developer Tools and Services 4.14","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ocp_tools:4.15::el8"],"defaultStatus":"affected","product":"OpenShift Developer Tools and Services 4.15","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ocp_tools:4.16::el9"],"defaultStatus":"affected","product":"OpenShift Developer Tools and Services 4.16","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ocp_tools:4.17::el9"],"defaultStatus":"affected","product":"OpenShift Developer Tools and Services 4.17","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ocp_tools:4.18::el9"],"defaultStatus":"affected","product":"OpenShift Developer Tools and Services 4.18","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ocp_tools:4.19::el9"],"defaultStatus":"affected","product":"OpenShift Developer Tools and Services 4.19","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ocp_tools:4.21::el9"],"defaultStatus":"affected","product":"OpenShift Developer Tools and Services 4.21","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ocp_tools:4.20::el9"],"defaultStatus":"affected","product":"OpenShift Developer Tools and Services 4.2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhdh:1"],"defaultStatus":"affected","product":"Red Hat Developer Hub","vendor":"Red Hat"}],"datePublic":"2026-03-18T15:15:23.950Z","descriptions":[{"lang":"en","value":"A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-22","description":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-30T02:42:33.872Z","orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-33001"},{"name":"RHBZ#2448645","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2448645"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33001.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:10209"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:10201"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:10211"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:10204"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:10214"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:10213"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:10215"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:10206"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:10199"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:10205"}],"solutions":[{"lang":"en","value":"RHSA-2026:10209: OpenShift Developer Tools and Services 4.12"},{"lang":"en","value":"RHSA-2026:10201: OpenShift Developer Tools and Services 4.13"},{"lang":"en","value":"RHSA-2026:10211: OpenShift Developer Tools and Services 4.14"},{"lang":"en","value":"RHSA-2026:10204: OpenShift Developer Tools and Services 4.15"},{"lang":"en","value":"RHSA-2026:10214: OpenShift Developer Tools and Services 4.16"},{"lang":"en","value":"RHSA-2026:10213: OpenShift Developer Tools and Services 4.17"},{"lang":"en","value":"RHSA-2026:10215: OpenShift Developer Tools and Services 4.18"},{"lang":"en","value":"RHSA-2026:10206: OpenShift Developer Tools and Services 4.19"},{"lang":"en","value":"RHSA-2026:10199: OpenShift Developer Tools and Services 4.21"},{"lang":"en","value":"RHSA-2026:10205: OpenShift Developer Tools and Services 4.2"}],"timeline":[{"lang":"en","time":"2026-03-18T16:02:14.310Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-03-18T15:15:23.950Z","value":"Made public."}],"title":"jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives","x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"}}],"cna":{"affected":[{"defaultStatus":"affected","product":"Jenkins","vendor":"Jenkins Project","versions":[{"lessThan":"*","status":"unaffected","version":"2.555","versionType":"maven"},{"lessThan":"2.541.*","status":"unaffected","version":"2.541.3","versionType":"maven"}]}],"descriptions":[{"lang":"en","value":"Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.\nThis can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes."}],"providerMetadata":{"dateUpdated":"2026-03-18T15:15:23.950Z","orgId":"39769cd5-e6e2-4dc8-927e-97b3aa056f5b","shortName":"jenkins"},"references":[{"name":"Jenkins Security Advisory 2026-03-18","tags":["vendor-advisory"],"url":"https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"}]}},"cveMetadata":{"assignerOrgId":"39769cd5-e6e2-4dc8-927e-97b3aa056f5b","assignerShortName":"jenkins","cveId":"CVE-2026-33001","datePublished":"2026-03-18T15:15:23.950Z","dateReserved":"2026-03-17T15:04:07.615Z","dateUpdated":"2026-06-30T02:42:33.872Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-18 16:16:28","lastModifiedDate":"2026-06-30 03:18:35","problem_types":["CWE-59","CWE-22","CWE-59 CWE-59 Improper Link Resolution Before File Access ('Link Following')","CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},{"source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2,"impactScore":6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-03-19T03:55:23.659873Z","id":"CVE-2026-33001","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*","versionEndExcluding":"2.541.3","matchCriteriaId":"74E8B1F1-D28F-4BC1-B50C-F736D7FA12B1"},{"vulnerable":true,"criteria":"cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*","versionEndExcluding":"2.555","matchCriteriaId":"D1012DE2-C6E3-4BEA-BA8E-C83B07D8DD25"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"33001","Ordinal":"1","Title":"CVE-2026-33001","CVE":"CVE-2026-33001","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"33001","Ordinal":"1","NoteData":"Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.\nThis can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.","Type":"Description","Title":"CVE-2026-33001"}]}}}