Home / Vulnerability Intelligence / CVE-2026-33001

CVE-2026-33001 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 19, 2026

Jenkins - Path Traversal

Published: March 18, 2026Updated: March 19, 2026Remote Exploitable

Overview

Jenkins <= 2.554 and LTS <= 2.541.2 contains a path traversal caused by unsafe handling of symbolic links during extraction of .tar and .tar.gz archives, letting attackers with Item/Configure permission or control over agent processes write files arbitrarily on the filesystem.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 10.6%(Probability of exploitation in next 30 days)

Impact

Attackers with specific permissions can write files arbitrarily, potentially deploying malicious scripts or plugins on the Jenkins controller.

Mitigation

Update to a version later than 2.554 or LTS later than 2.541.2.

References

https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657

Social Media Activity(1 post)

Ivan Ožić Bebek

@obivan

Mar 20, 2026

Deep Dive into CVE-2026-33001 : Arbitrary File Creation leading to RCE via Symlink attack in Jenkins Core https://fancy-amber-76a.notion.site/Deep-Dive-into-CVE-2026-33001-Arbitrary-File-Creation-leading-to-RCE-via-Symlink-attack-in-Jenkins-328751512b3380049b3dfa3b934a9a12

View original post

Related Resources

Details

CVE ID: CVE-2026-33001
Severity: High
CVSS Score: 8.8
Type: path_traversal
Status: unconfirmed
EPSS: 10.6%
Social Posts: 1

CWE

CWE-59

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

10.6%Probability of exploitation in the next 30 days