CVE-2026-53441
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
A stored XSS vulnerability in Jenkins allows attackers with Agent/Configure permission to inject malicious scripts via an unescaped offline cause description set through the POST config.xml API. Affects Jenkins 2.483 through 2.567 and LTS 2.492.1 through 2.555.2.
Risk Assessment
An attacker can hijack user sessions, steal credentials, or perform arbitrary actions in the victim's context, compromising the confidentiality and integrity of the CI/CD system.
Recommendation
Immediately upgrade Jenkins to version 2.568 or later (LTS 2.555.3 or later). Restrict Agent/Configure permissions to trusted users only.
Original NVD description (English source)
Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

