CVE Catalog

CVE-2026-53441

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile — higher than 17% of all known CVEs

Summary

A stored XSS vulnerability in Jenkins allows attackers with Agent/Configure permission to inject malicious scripts via an unescaped offline cause description set through the POST config.xml API. Affects Jenkins 2.483 through 2.567 and LTS 2.492.1 through 2.555.2.

Risk Assessment

An attacker can hijack user sessions, steal credentials, or perform arbitrary actions in the victim's context, compromising the confidentiality and integrity of the CI/CD system.

Recommendation

Immediately upgrade Jenkins to version 2.568 or later (LTS 2.555.3 or later). Restrict Agent/Configure permissions to trusted users only.

Original NVD description (English source)

Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS