Description
Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
Published: 2026-06-10
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Jenkins versions 2.483 through 2.567 and LTS 2.492.1 through 2.555.2 fail to escape the user‑provided description supplied via the POST config.xml API. This oversight allows a stored cross‑site scripting vulnerability that can be triggered by any user possessing Agent/Configure permission, enabling a malicious actor to inject and execute arbitrary scripts within the context of Jenkins.

Affected Systems

Jenkins by the Jenkins Project. The affected releases include Jenkins core versions 2.483 through 2.567 and the long‑term support releases 2.492.1 through 2.555.2.

Risk and Exploitability

The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, so absolute exploitation probability is unknown. However, the requirement of Agent/Configure permission indicates that the attack surface is limited to users who can configure agents, meaning an attacker must first gain an internal role or compromise an account with that permission. If the permission is granted widely, the risk becomes higher. The disclosed nature of the issue as a stored cross‑site scripting flaw suggests that successful exploitation could lead to malicious script execution in the victim’s browser, potentially exposing Jenkins session cookies, accessing internal services, or defacing the interface.

Generated by OpenCVE AI on June 10, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Jenkins release that contains the fix (for example Jenkins 2.568 or LTS 2.555.3).
  • If an immediate upgrade is not possible, use the Jenkins update center to install the security update as soon as it is available.
  • Restrict the Agent/Configure permission to trusted users or remove it from accounts that do not need it.

Generated by OpenCVE AI on June 10, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting via Config.xml POST API in Jenkins
First Time appeared Jenkins Project
Jenkins Project jenkins
Weaknesses CWE-79
Vendors & Products Jenkins Project
Jenkins Project jenkins

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
References

Subscriptions

Jenkins Project Jenkins
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-10T13:06:01.921Z

Reserved: 2026-06-09T14:26:44.789Z

Link: CVE-2026-53441

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:37.087

Modified: 2026-06-10T14:16:37.087

Link: CVE-2026-53441

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:00:13Z

Weaknesses