{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27099", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "state": "PUBLISHED", "assignerShortName": "jenkins", "dateReserved": "2026-02-17T16:48:49.373Z", "datePublished": "2026-02-18T14:17:43.911Z", "dateUpdated": "2026-02-18T14:56:27.973Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2026-02-18T14:17:43.911Z"}, "affected": [{"vendor": "Jenkins Project", "product": "Jenkins", "versions": [{"version": "0", "versionType": "maven", "lessThan": "2.483", "status": "unaffected"}, {"version": "2.551", "versionType": "maven", "lessThan": "*", "status": "unaffected"}, {"version": "2.541.2", "versionType": "maven", "lessThan": "2.541.*", "status": "unaffected"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the \"Mark temporarily offline\" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission."}], "references": [{"name": "Jenkins Security Advisory 2026-02-18", "url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669", "tags": ["vendor-advisory"]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T14:55:42.504808Z", "id": "CVE-2026-27099", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T14:56:27.973Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-27099", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-18T14:55:42.504808Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T14:54:45.810Z"}}], "cna": {"affected": [{"vendor": "Jenkins Project", "product": "Jenkins", "versions": [{"status": "unaffected", "version": "0", "lessThan": "2.483", "versionType": "maven"}, {"status": "unaffected", "version": "2.551", "lessThan": "*", "versionType": "maven"}, {"status": "unaffected", "version": "2.541.2", "lessThan": "2.541.*", "versionType": "maven"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669", "name": "Jenkins Security Advisory 2026-02-18", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the \"Mark temporarily offline\" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2026-02-18T14:17:43.911Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27099", "state": "PUBLISHED", "dateUpdated": "2026-02-18T14:56:27.973Z", "dateReserved": "2026-02-17T16:48:49.373Z", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "datePublished": "2026-02-18T14:17:43.911Z", "assignerShortName": "jenkins"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "matchCriteriaId": "C99A3253-487D-4313-932F-2BCA7F24ED83", "versionEndExcluding": "2.551", "versionStartIncluding": "2.483", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "D5D2394C-A869-41E7-96E5-F31CEC56765D", "versionEndExcluding": "2.541.2", "versionStartIncluding": "2.492.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the \"Mark temporarily offline\" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission."}, {"lang": "es", "value": "Jenkins 2.483 a 2.550 (ambos inclusive), LTS 2.492.1 a 2.541.1 (ambos inclusive) no escapa la descripci\u00f3n proporcionada por el usuario de la causa de desconexi\u00f3n 'Marcar temporalmente sin conexi\u00f3n', lo que resulta en una vulnerabilidad de cross-site scripting (XSS) almacenado explotable por atacantes con permiso de Agente/Configurar o Agente/Desconectar."}], "id": "CVE-2026-27099", "lastModified": "2026-02-20T20:52:03.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-18T15:18:43.857", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description", "id": "2440638", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser."], "name": "CVE-2026-27099", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "ocp-tools-4/jenkins-rhel8", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "ocp-tools-4/jenkins-rhel9", "product_name": "OpenShift Developer Tools and Services"}], "public_date": "2026-02-18T14:17:43Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27099\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27099\nhttps://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"], "statement": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user's browser when viewing the affected description. Red Hat OpenShift Developer Tools & Services are affected."}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,2.483)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[2.551,*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[2.541.2,2.542.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Jenkins", "source": "cna", "vendor": "Jenkins Project"}, "product": "jenkins", "vendor": "jenkins_project"}], "analysis": {"en": {"generated_at": "2026-04-18T11:58:51.850564+00:00", "value": {"mitigation_remediation": ["Apply the official Jenkins security update (upgrade to 2.551 or later LTS release) to remove the unescaped input issue.", "If an immediate upgrade is not possible, restrict Agent/Configure and Agent/Disconnect permissions to only trusted administrators or delete existing temporary offline causes that contain malicious descriptions.", "Review and sanitize any previously stored offline cause descriptions manually or via a script to eliminate injected scripts before they are rendered by the web interface."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross-site Scripting"}, "threat_synthesis": {"affected_systems": "The affected products are Jenkins Project\u2019s Jenkins core running in versions 2.483 to 2.550 inclusive and the LTS releases 2.492.1 to 2.541.1 inclusive. Any deployment using one of these versions is impacted until upgraded.", "description_and_impact": "Jenkins 2.483 through 2.550 and 2.492.1 through 2.541.1 allow an attacker with Agent/Configure or Agent/Disconnect permission to save an unescaped description for a temporary offline cause. The stored cross\u2011site scripting can execute arbitrary JavaScript in the context of the Jenkins web interface, enabling session hijacking, defacement, or data theft. The vulnerability is a classic input validation flaw, identified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 8.0 indicates high severity, while the EPSS score of less than 1 % suggests a very low current exploitation probability. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an authenticated user possessing Agent/Configure or Agent/Disconnect rights and depends on the offline-cause description being stored in the system. Successful exploitation would compromise confidentiality and integrity of the Jenkins environment."}}}}, "created": "2026-02-19T10:19:46.148908+00:00", "updated": "2026-04-18T12:00:05.899408+00:00", "vendors": ["jenkins_project", "jenkins_project$PRODUCT$jenkins"]}