CVE-2026-27099
Stored XSS in Jenkins Agent Offline Cause Description
Publication date: 2026-02-18
Last updated on: 2026-02-20
Assigner: Jenkins Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jenkins | jenkins | From 2.483 (inc) to 2.551 (exc) |
| jenkins | jenkins | From 2.492.1 (inc) to 2.541.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27099 is a stored cross-site scripting (XSS) vulnerability in Jenkins versions 2.483 through 2.550 (weekly) and LTS 2.492.1 through 2.541.1. The vulnerability arises because Jenkins does not properly escape user-provided input in the "Mark temporarily offline" offline cause description for nodes, which is rendered as HTML.'}, {'type': 'paragraph', 'content': 'This flaw allows attackers who have Agent/Configure or Agent/Disconnect permissions to inject malicious scripts that are stored and later executed in the context of the Jenkins web interface.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to stored cross-site scripting attacks, where an attacker can execute malicious scripts in the Jenkins web interface.
Such attacks can result in unauthorized actions being performed within Jenkins, theft of sensitive information such as session cookies, or further compromise of the Jenkins environment.
Exploitation requires the attacker to have Agent/Configure or Agent/Disconnect permissions, which means the attacker must already have some level of access to the Jenkins system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves stored cross-site scripting (XSS) in the "Mark temporarily offline" offline cause description in Jenkins versions 2.483 through 2.550 and LTS 2.492.1 through 2.541.1. Detection involves checking if your Jenkins instance is running one of these affected versions.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires Agent/Configure or Agent/Disconnect permissions to exploit, reviewing user permissions and offline cause descriptions for suspicious or unexpected HTML content may help identify exploitation attempts.'}, {'type': 'paragraph', 'content': 'There are no specific commands provided in the resources to detect this vulnerability directly on the network or system.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Jenkins to a fixed version that escapes user input in the offline cause description.
- Upgrade Jenkins weekly releases to version 2.551 or later.
- Upgrade Jenkins LTS releases to version 2.541.2 or later.
Additionally, Jenkins versions 2.539 and newer enforce Content Security Policy (CSP) protections that help mitigate this vulnerability.