Jenkins · Credentials Binding Plugin · CVE-2026-48922
**Name of the Vulnerable Software and Affected Versions**
Jenkins Credentials Binding Plugin versions 720.v3f6decef43ea and earlier
**Description**
Insufficient sanitization of file names for file and zip file credentials allows attackers who can provide credentials to a job to write files to arbitrary locations on the node filesystem. This path traversal issue can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.
**Recommendations**
Update the Jenkins Credentials Binding Plugin to a version later than 720.v3f6decef43ea .