What is the CVSS score of EUVD-2026-32512?

EUVD-2026-32512 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Groovy Libraries Plugin are affected by EUVD-2026-32512?

The Jenkins Pipeline: Groovy Libraries Plugin (version 797.v90ea_a_9b_e45a_0 and earlier) allows attackers with write access to shared library repositories to exfiltrate credentials, API tokens, and…

How to fix or mitigate EUVD-2026-32512?

24 hours: Inventory all Jenkins instances and identify Pipeline: Groovy Libraries Plugin version via Manage Jenkins > Manage Plugins. Restrict commit access to all shared library repositories to approved developers only with MFA enforcement. 7 days: Implement mandatory peer code review for all shared library changes before merge. Audit Jenkins credential stores and rotate secrets that could have been read via symlinks. 30 days: Monitor Jenkins security advisories for patch to Pipeline: Groovy Libraries Plugin; plan immediate upgrade upon vendor release.

Groovy Libraries Plugin EUVD-2026-32512

| CVE-2026-48921 HIGH

Improper Link Resolution Before File Access (CWE-59)

2026-05-27 jenkinsci-cert@googlegroups.com

GHSA-qjq3-wqj5-g37q

Information Disclosure Jenkins

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 27, 2026 - 21:13 vuln.today

CVSS changed

May 27, 2026 - 20:22 NVD

7.5 (None) 7.5 (HIGH)

DescriptionNVD

Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.

AnalysisAI

Arbitrary file read on the Jenkins controller is possible in the Jenkins 'Pipeline: Groovy Libraries Plugin' (version 797.v90ea_a_9b_e45a_0 and earlier), where the plugin fails to prohibit symbolic links inside shared libraries. An attacker who can control the contents of a shared library consumed by a Pipeline job can plant symlinks that resolve to sensitive files (credentials, secrets, configuration) on the controller filesystem and exfiltrate them through the build. …

RemediationAI

24 hours: Inventory all Jenkins instances and identify Pipeline: Groovy Libraries Plugin version via Manage Jenkins > Manage Plugins. Restrict commit access to all shared library repositories to approved developers only with MFA enforcement. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-48920 HIGH This Week

8.8 May 27

Arbitrary file disclosure in the Jenkins Email Extension Plugin (email-ext) versions 1933.v45cec755423f and earlier lets

CVE-2026-48922 HIGH This Week

7.5 May 27

Arbitrary file write in the Jenkins Credentials Binding Plugin (version 720.v3f6decef43ea_ and earlier) lets users who c

CVE-2026-48919 MEDIUM This Month

6.6 May 27

Unsafe deserialization in Jenkins Active Directory Plugin 2.41 and earlier allows a remote attacker holding administrati

CVE-2026-48918 MEDIUM This Month

6.6 May 27

Server-Side Request Forgery in Jenkins Active Directory Plugin 2.41 and earlier enables a highly privileged attacker to

CVE-2026-48916 MEDIUM This Month

6.6 May 27

Unconstrained LDAP referral following in Jenkins LDAP Plugin (≤ 807.v7d7de30930cf) enables Server-Side Request Forgery,

EUVD-2026-32512 vulnerability details – vuln.today

Back

Groovy Libraries Plugin EUVD-2026-32512

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Share

External POC / Exploit Code