Description
Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
Published: 2026-06-10
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Jenkins versions 2.483 through 2.567 and LTS 2.492.1 through 2.555.2 fail to escape the user‑provided description supplied via the POST config.xml API. This oversight allows a stored cross‑site scripting vulnerability that can be triggered by any user possessing Agent/Configure permission, enabling a malicious actor to inject and execute arbitrary scripts within the context of Jenkins.

Affected Systems

Jenkins by the Jenkins Project. The affected releases include Jenkins core versions 2.483 through 2.567 and the long‑term support releases 2.492.1 through 2.555.2.

Risk and Exploitability

The CVSS score is 5.4 and the EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, so absolute exploitation probability is unknown. However, the requirement of Agent/Configure permission indicates that the attack surface is limited to users who can configure agents, meaning an attacker must first gain an internal role or compromise an account with that permission. If the permission is granted widely, the risk becomes higher. The disclosed nature of the issue as a stored cross‑site scripting flaw suggests that successful exploitation could lead to malicious script execution in the victim’s browser, potentially exposing Jenkins session cookies, accessing internal services, or defacing the interface.

Generated by OpenCVE AI on June 18, 2026 at 01:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Jenkins release that contains the fix (for example Jenkins 2.568 or LTS 2.555.3).
  • If an immediate upgrade is not possible, use the Jenkins update center to install the security update as soon as it is available.
  • Restrict the Agent/Configure permission to trusted users or remove it from accounts that do not need it.

Generated by OpenCVE AI on June 18, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-93qh-vwrm-c5pw Jenkins: Stored XSS vulnerability in node offline cause description
History

Wed, 17 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title jenkins: Jenkins: Stored Cross-Site Scripting (XSS) via unescaped user-provided description
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting via Config.xml POST API in Jenkins

Mon, 15 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins jenkins
CPEs cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
Vendors & Products Jenkins
Jenkins jenkins
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 10 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting via Config.xml POST API in Jenkins
First Time appeared Jenkins Project
Jenkins Project jenkins
Weaknesses CWE-79
Vendors & Products Jenkins Project
Jenkins Project jenkins

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
References

Subscriptions

Jenkins Jenkins
Jenkins Project Jenkins
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-10T13:06:01.921Z

Reserved: 2026-06-09T14:26:44.789Z

Link: CVE-2026-53441

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T14:16:37.087

Modified: 2026-06-15T18:05:52.100

Link: CVE-2026-53441

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-10T13:06:01Z

Links: CVE-2026-53441 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T02:00:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')