CVE-2026-48920

Name of the Vulnerable Software and Affected Versions Jenkins Email Extension Plugin versions prior to 1933.v45cec755423f

Description The plugin allows inlining images as base64 in email content by setting the data-inline attribute. Because there are no restrictions on the image URLs that can be inlined, attackers who can control the email content can specify file: URLs for images to read arbitrary files from the Jenkins controller filesystem.

Recommendations Update to a version later than 1933.v45cec755423f.