Jenkins Pipeline: Groovy Libraries Plugin 797.v90eaa9be45a0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.
{
"cpe": "cpe:2.3:a:jenkins:pipeline\\:_groovy_libraries:*:*:*:*:*:*:*:*",
"source": "CPE_RANGE",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "798.v5cc688825312"
}
]
}[
{
"source": "https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "72656283845224301365310572096345427899",
"length": 3980.0
},
"id": "CVE-2026-48921-2d3976b7",
"signature_type": "Function",
"target": {
"function": "doRetrieve",
"file": "src/main/java/org/jenkinsci/plugins/workflow/libs/SCMBasedRetriever.java"
}
},
{
"source": "https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f",
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"251979580115318692229218899962687648778",
"174998602760317192040151353164042922787",
"88195518546502241173675227681388088713",
"154527407684054825527926744227986417248",
"103130227761527551167557635145230382077",
"122166725084250685294658455587807955919",
"247527537563805095468574862494952666897",
"2911532029258497559364649457357432427",
"292617559636662682115880908568957697529",
"257697839725486107349119268159641727836",
"249748238905822826680902554433092891693",
"301330057814195189920393384042041120655",
"115110573693560218960484084620930363333"
]
},
"id": "CVE-2026-48921-548fb0d0",
"signature_type": "Line",
"target": {
"file": "src/test/java/org/jenkinsci/plugins/workflow/libs/SCMSourceRetrieverTest.java"
}
},
{
"source": "https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f",
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"215937122373796502109191090231335485637",
"46914635653444291413639397216790752478",
"109123133880426082159907658234270545242",
"319231720322609567832271823391192995748"
]
},
"id": "CVE-2026-48921-59651ceb",
"signature_type": "Line",
"target": {
"file": "src/test/java/org/jenkinsci/plugins/workflow/libs/ResourceStepTest.java"
}
},
{
"source": "https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "262427193025924656186401405481482339666",
"length": 1143.0
},
"id": "CVE-2026-48921-61a22995",
"signature_type": "Function",
"target": {
"function": "symlinksInLibraryResourcesAreNotAllowedToEscapeWorkspaceContext",
"file": "src/test/java/org/jenkinsci/plugins/workflow/libs/ResourceStepTest.java"
}
},
{
"source": "https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "62380524346465266434943186139516761548",
"length": 3672.0
},
"id": "CVE-2026-48921-70b78246",
"signature_type": "Function",
"target": {
"function": "retrieve",
"file": "src/main/java/org/jenkinsci/plugins/workflow/libs/LibraryAdder.java"
}
},
{
"source": "https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f",
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"60662566486544379435341622630030831311",
"187832888546101599058657129020576564408",
"337652553324878761854784438942634422758",
"62250684697871037299317247947736883245",
"97519431344735015928937021410740131493",
"308833712860095179650833958774660384536",
"35491868682322131630027765155179054267",
"329418057557900408003709734989706799379"
]
},
"id": "CVE-2026-48921-a7842a01",
"signature_type": "Line",
"target": {
"file": "src/main/java/org/jenkinsci/plugins/workflow/libs/LibraryAdder.java"
}
},
{
"source": "https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f",
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"140358151189412432502161373531137462280",
"313006434286295430871162023259870558341",
"116965373023178036325345523943501072199",
"174012181602255372481603887611415911943",
"151698437681026150919613016885079515193",
"25991861100952883382001140085644960093",
"272205592973470567086003009887811002051",
"321192353035999880943423934767185693186",
"335686708531239172395992492277289658567",
"329963945152930438478869758782656414947",
"108712305264454434216805754402809302544",
"332239236242080749220241827485691247992",
"274229069181856472620183768051795938726",
"8376996099183153766262120323856755825",
"326059997309244637837587532572144558116"
]
},
"id": "CVE-2026-48921-c1cc94e5",
"signature_type": "Line",
"target": {
"file": "src/main/java/org/jenkinsci/plugins/workflow/libs/SCMBasedRetriever.java"
}
}
]
"2026-07-15T06:10:17Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48921.json"