CVE-2026-27099
Received Received - Intake
Stored XSS in Jenkins Agent Offline Cause Description

Publication date: 2026-02-18

Last updated on: 2026-02-20

Assigner: Jenkins Project

Description
Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27099
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
jenkins jenkins From 2.483 (inc) to 2.551 (exc)
jenkins jenkins From 2.492.1 (inc) to 2.541.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27099 is a stored cross-site scripting (XSS) vulnerability in Jenkins versions 2.483 through 2.550 (weekly) and LTS 2.492.1 through 2.541.1. The vulnerability arises because Jenkins does not properly escape user-provided input in the "Mark temporarily offline" offline cause description for nodes, which is rendered as HTML.'}, {'type': 'paragraph', 'content': 'This flaw allows attackers who have Agent/Configure or Agent/Disconnect permissions to inject malicious scripts that are stored and later executed in the context of the Jenkins web interface.'}] [1]

Impact Analysis

This vulnerability can lead to stored cross-site scripting attacks, where an attacker can execute malicious scripts in the Jenkins web interface.

Such attacks can result in unauthorized actions being performed within Jenkins, theft of sensitive information such as session cookies, or further compromise of the Jenkins environment.

Exploitation requires the attacker to have Agent/Configure or Agent/Disconnect permissions, which means the attacker must already have some level of access to the Jenkins system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves stored cross-site scripting (XSS) in the "Mark temporarily offline" offline cause description in Jenkins versions 2.483 through 2.550 and LTS 2.492.1 through 2.541.1. Detection involves checking if your Jenkins instance is running one of these affected versions.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires Agent/Configure or Agent/Disconnect permissions to exploit, reviewing user permissions and offline cause descriptions for suspicious or unexpected HTML content may help identify exploitation attempts.'}, {'type': 'paragraph', 'content': 'There are no specific commands provided in the resources to detect this vulnerability directly on the network or system.'}] [1]

Mitigation Strategies

The primary mitigation step is to upgrade Jenkins to a fixed version that escapes user input in the offline cause description.

  • Upgrade Jenkins weekly releases to version 2.551 or later.
  • Upgrade Jenkins LTS releases to version 2.541.2 or later.

Additionally, Jenkins versions 2.539 and newer enforce Content Security Policy (CSP) protections that help mitigate this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27099. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart