Vulnerability in Jenkins Project
CVE-2026-33001
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only…
EPSS: 0.003 (49.7th percentile) — read the EPSS interpretation.
Affected products
- Jenkins Project — versions 2.555, 2.541.3
References
- Jenkins Security Advisory 2026-03-18 (vendor-advisory)