logo

Database

Server side cross-site scripting In org.jenkins-ci.main:jenkins-core

Description

Jenkins has a stored XSS vulnerability in node offline cause description Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-270992. NVD-2026-270993. OSV-2026-270994. GCVE-2026-27099

References

1. https://github.com/jenkinsci/jenkins/commit/578c028e2cdfdc9e124d0ca389a80bb2bd231ab22. https://github.com/jenkinsci/jenkins/releases/tag/jenkins-2.541.23. https://github.com/jenkinsci/jenkins/releases/tag/jenkins-2.5514. https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.