A stored Cross-Site Scripting (XSS) vulnerability in Jenkins Core has been identified by Security Advisory as one of several vulnerabilities that could seriously jeopardize build environments' security This article explores xss vulnerability jenkins. . The vulnerabilities, designated as CVE-2026-27099 and CVE-2026-27100, were responsibly revealed through the European Commission's Jenkins Bug Bounty Program.

The most critical of the two, tracked as CVE-2026-27099, is a high-severity stored XSS vulnerability that impacts Jenkins versions 2.550 and earlier, as well as LTS versions 2.541.1 and earlier. Jenkins' handling of "offline cause descriptions," which explain why a build node goes offline, is the source of the vulnerability. These descriptions have permitted HTML content since version 2.483; however, in vulnerable versions, the input was not appropriately escaped.

CVE ID CVSS Score Description Affected Versions CVE-2026-27099 High Stored XSS in node offline cause description Jenkins ≤ 2.550, LTS ≤ 2.541.1 CVE-2026-27100 Disclosure of Medium Build information using Run Parameter Jenkins ≤ 2.550, LTS ≤ 2.541.1 By inserting malicious JavaScript into the offline cause description, an attacker with Agent/Configure or Agent/Disconnect permissions could jeopardize the sessions of other users. This problem is fixed in Jenkins versions 2.551 and LTS 2.541.2 by escaping user-supplied input. Additionally, Jenkins 2.539 and later versions that use Content Security Policy (CSP) enforcement are partially immune to these attacks.

Jenkins's handling of Run Parameter values is impacted by the second vulnerability, CVE-2026-27100, which has a medium severity rating. Users could query builds or jobs they were not authorized to access in affected versions up to 2.550 (and LTS 2.541.1).

This gave attackers the ability to ascertain whether particular builds or projects were present, which could have resulted in the Jenkins environment's information being disclosed. In order to stop this kind of data leak, Jenkins 2.551 and LTS 2.541.2 now appropriately reject unauthorized Run Parameter values. To address both vulnerabilities, Jenkins administrators are strongly encouraged to update to the most recent versions 2.551 or LTS 2.541.2.

Builds that depend on outdated versions are still vulnerable to script injection and unapproved build information disclosure. X, LinkedIn, and X for daily updates on cybersecurity. To have your stories featured, get in touch with us.