Jenkins: >> Email Extension >> 2.95 Security Vulnerabilities
Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute, without restrictions on the image URLs that can be inlined, allowing attackers able to control the email content to specify `file:` URLs for images to read arbitrary files from the Jenkins controller filesystem.
CVSS Score
8.8
EPSS Score
0.004
Published
2026-05-27
Jenkins Email Extension Plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file system.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-05-16
A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin allows attackers to make another user stop watching an attacker-specified job.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-05-16