CVE-2026-27099
Published: 18 February 2026
Summary
CVE-2026-27099 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Jenkins Jenkins. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-27099 is a stored cross-site scripting (XSS) vulnerability in Jenkins, affecting versions 2.483 through 2.550 (inclusive) and LTS versions 2.492.1 through 2.541.1 (inclusive). The issue arises because Jenkins does not properly escape user-provided descriptions in the "Mark temporarily offline" offline cause field for agents, allowing injected scripts to be stored and later rendered in the user interface. This flaw is classified under CWE-79 and carries a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).
Attackers with Agent/Configure or Agent/Disconnect permissions can exploit this vulnerability by marking an agent temporarily offline and supplying a malicious payload in the description field. When authorized users view the agent's status or related pages, the unescaped script executes in their browsers, potentially leading to session hijacking, data theft, or unauthorized actions on behalf of the victim within the Jenkins instance.
The official Jenkins security advisory details mitigation steps, including upgrading to Jenkins LTS 2.541.2 or later, or Jenkins weekly 2.551 or later, available at https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669. Security practitioners should review the advisory for full patch information and verify affected instances promptly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8091
Vulnerability details
Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect…
more
permission.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables exploitation of the Jenkins web application (T1190) with attacker-supplied JavaScript executing in victim browsers (T1059.007), facilitating session cookie theft and hijacking (T1539) as described in the impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires filtering untrusted user-provided descriptions in agent offline causes when rendered in the UI to prevent execution of stored XSS payloads.
Mandates validation of user inputs in the 'Mark temporarily offline' description field to reject malicious scripts before storage.
Enforces restrictions on the format and content of user-supplied agent offline descriptions to block XSS payloads like script tags.