CVE-2026-27099

High CVSS: 8.0

Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.

Vendor

Jenkins

Product

Jenkins

CWE

CWE-79

Yayın Tarihi

2026-02-18 15:18:43

Güncelleme

2026-02-20 20:52:03

Source Identifier

jenkinsci-cert@googlegroups.com

KEV Date Added

Kategoriler

CWE-79 Jenkins HIGH Jenkins 2026

Referanslar

https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669

Benzer Kayıtlar

High

CVE-2026-33001

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar a…

High

CVE-2026-33002

Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validatio…

Medium

CVE-2026-33003

Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins co…

Medium

CVE-2026-33004

Jenkins LoadNinja Plugin 2.1 and earlier does not mask LoadNinja API keys displayed on the job configuration form, incre…

Medium

CVE-2026-27100

Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting…

Medium

CVE-2025-67636

A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permiss…