VDB
CVE-2026-33001
CVE-2026-33001
PUBLISHED
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.
EPSS 0.26% · 49.7th percentile
Risk Scores
EPSS Score
0.26%
49.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | jenkins | 0, 2.542.0, 2.542.0 |
Exploit Intelligence
- CIRCL seen: CVE-2026-33001 (circl-sighting)
- CIRCL seen: CVE-2026-33001 (circl-sighting)
- CIRCL seen: CVE-2026-33001 (circl-sighting)
- Jenkins Security Advisory 2026-03-18 (circl)
- cve-2026-33001.sh (github-poc)
- cve-2026-33001.sh (github-poc)
- 2026.xml (github-poc)
- 2026.xml (github-poc)
- 2026.xml (github-poc)
- 2026.xml (github-poc)
…and 18 more exploits
Timeline
- Mar 18, 2026 CVE Published
- Mar 19, 2026 CVE Updated
- Mar 19, 2026 EPSS Score
- Mar 20, 2026 EPSS Score
- Mar 20, 2026 PoC Published
- Mar 20, 2026 PoC Published
- Mar 21, 2026 EPSS Score
- Mar 21, 2026 PoC Published
- Mar 22, 2026 EPSS Score
- Mar 22, 2026 Coalition ESS Score
- Mar 23, 2026 EPSS Score
- Mar 24, 2026 EPSS Score