CVE-2026-27099Cross-site Scripting in Jenkins

CWE-79Cross-site Scripting6 documents6 sources
Severity
8.0HIGHNVD
EPSS
0.1%
top 84.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
JenkinsJenkins CoreJenkins LTS+1 more
Timeline
PublishedFeb 18

Description

Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 2.1 | Impact: 5.9

Affected Packages4 packages

NVDjenkins/jenkins2.4832.551+1

🔴Vulnerability Details

2
GHSA
Jenkins has a stored XSS vulnerability in node offline cause description2026-02-18
OSV
Jenkins has a stored XSS vulnerability in node offline cause description2026-02-18

📋Vendor Advisories

2
Jenkins
Jenkins Security Advisory 2026-02-182026-02-18
Red Hat
org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description2026-02-18

🕵️Threat Intelligence

1
Wiz
CVE-2026-27099 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-27099 — Cross-site Scripting in Jenkins | cvebase