Description
Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.
Published: 2026-02-18
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-site Scripting
Action: Immediate Patch
AI Analysis

Impact

Jenkins 2.483 through 2.550 and 2.492.1 through 2.541.1 allow an attacker with Agent/Configure or Agent/Disconnect permission to save an unescaped description for a temporary offline cause. The stored cross‑site scripting can execute arbitrary JavaScript in the context of the Jenkins web interface, enabling session hijacking, defacement, or data theft. The vulnerability is a classic input validation flaw, identified as CWE‑79.

Affected Systems

The affected products are Jenkins Project’s Jenkins core running in versions 2.483 to 2.550 inclusive and the LTS releases 2.492.1 to 2.541.1 inclusive. Any deployment using one of these versions is impacted until upgraded.

Risk and Exploitability

The CVSS score of 8.0 indicates high severity, while the EPSS score of less than 1 % suggests a very low current exploitation probability. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an authenticated user possessing Agent/Configure or Agent/Disconnect rights and depends on the offline-cause description being stored in the system. Successful exploitation would compromise confidentiality and integrity of the Jenkins environment.

Generated by OpenCVE AI on April 18, 2026 at 11:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Jenkins security update (upgrade to 2.551 or later LTS release) to remove the unescaped input issue.
  • If an immediate upgrade is not possible, restrict Agent/Configure and Agent/Disconnect permissions to only trusted administrators or delete existing temporary offline causes that contain malicious descriptions.
  • Review and sanitize any previously stored offline cause descriptions manually or via a script to eliminate injected scripts before they are rendered by the web interface.

Generated by OpenCVE AI on April 18, 2026 at 11:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-85h6-5m3v-gx37 Jenkins has a stored XSS vulnerability in node offline cause description
History

Fri, 20 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins jenkins
CPEs cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
Vendors & Products Jenkins
Jenkins jenkins

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins
Vendors & Products Jenkins Project
Jenkins Project jenkins

Thu, 19 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Title org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description
References

Wed, 18 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
Description Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.
References

Subscriptions

Jenkins Jenkins
Jenkins Project Jenkins
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-02-18T14:56:27.973Z

Reserved: 2026-02-17T16:48:49.373Z

Link: CVE-2026-27099

cve-icon Vulnrichment

Updated: 2026-02-18T14:54:45.810Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T15:18:43.857

Modified: 2026-02-20T20:52:03.000

Link: CVE-2026-27099

cve-icon Redhat

Severity :

Publid Date: 2026-02-18T14:17:43Z

Links: CVE-2026-27099 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:00:05Z

Weaknesses