CVE-2026-27099

Summary

Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.

Affected Software

VendorProductVersion RangeStatus
Jenkins ProjectJenkins0 < 2.483unaffected
Jenkins ProjectJenkins2.551 < *unaffected
Jenkins ProjectJenkins2.541.2 < 2.541.*unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References