Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.0
Jenkins: Unsecured Description Allows Malicious Code Execution
CVE-2026-27099
GHSA-85h6-5m3v-gx37
Summary
Jenkins versions 2.483 to 2.550 are affected by a stored cross-site scripting (XSS) vulnerability. This means that a malicious user with permission to configure or disconnect Jenkins agents can inject and execute malicious code on other users' browsers. To protect your Jenkins instance, update to a patched version.
What to do
- Update jenkins-ci org.jenkins-ci.main:jenkins-core to version 2.551.
- Update jenkins-ci org.jenkins-ci.main:jenkins-core to version 2.541.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| jenkins-ci | org.jenkins-ci.main:jenkins-core | > 2.542 , <= 2.551 | 2.551 |
| jenkins-ci | org.jenkins-ci.main:jenkins-core | > 2.483 , <= 2.541.2 | 2.541.2 |
| jenkins | jenkins | > 2.483 , <= 2.551 | – |
| jenkins | jenkins | > 2.492.1 , <= 2.541.2 | – |
Original title
Jenkins has a stored XSS vulnerability in node offline cause description
Original description
Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.
nvd CVSS3.1
8.0
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-27099
- https://github.com/jenkinsci/jenkins/commit/578c028e2cdfdc9e124d0ca389a80bb2bd23...
- https://github.com/jenkinsci/jenkins/releases/tag/jenkins-2.551
- https://github.com/jenkinsci/jenkins/releases/tag/jenkins-2.541.2
- https://github.com/advisories/GHSA-85h6-5m3v-gx37
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026