CVE-2026-27099
Published: 18 February 2026
Summary
CVE-2026-27099 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Jenkins Jenkins. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires filtering untrusted user-provided descriptions in agent offline causes when rendered in the UI to prevent execution of stored XSS payloads.
Mandates validation of user inputs in the 'Mark temporarily offline' description field to reject malicious scripts before storage.
Enforces restrictions on the format and content of user-supplied agent offline descriptions to block XSS payloads like script tags.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables exploitation of the Jenkins web application (T1190) with attacker-supplied JavaScript executing in victim browsers (T1059.007), facilitating session cookie theft and hijacking (T1539) as described in the impact.
NVD Description
Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect…
more
permission.
Deeper analysisAI
CVE-2026-27099 is a stored cross-site scripting (XSS) vulnerability in Jenkins, affecting versions 2.483 through 2.550 (inclusive) and LTS versions 2.492.1 through 2.541.1 (inclusive). The issue arises because Jenkins does not properly escape user-provided descriptions in the "Mark temporarily offline" offline cause field for agents, allowing injected scripts to be stored and later rendered in the user interface. This flaw is classified under CWE-79 and carries a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).
Attackers with Agent/Configure or Agent/Disconnect permissions can exploit this vulnerability by marking an agent temporarily offline and supplying a malicious payload in the description field. When authorized users view the agent's status or related pages, the unescaped script executes in their browsers, potentially leading to session hijacking, data theft, or unauthorized actions on behalf of the victim within the Jenkins instance.
The official Jenkins security advisory details mitigation steps, including upgrading to Jenkins LTS 2.541.2 or later, or Jenkins weekly 2.551 or later, available at https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669. Security practitioners should review the advisory for full patch information and verify affected instances promptly.
Details
- CWE(s)