Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
PR:L reflects mandatory Agent/Configure permission; UI:R captures required victim page view; S:C models cross-user browser-session scope change inherent to stored XSS.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 maven packages depend on org.jenkins-ci.main:jenkins-core (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.483.
DescriptionNVD
Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the POST config.xml API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
AnalysisAI
Stored XSS in Jenkins 2.483-2.567 and LTS 2.492.1-2.555.2 allows attackers holding Agent/Configure permission to inject persistent malicious scripts via the POST config.xml API by supplying an unescaped generic offline cause description. When any Jenkins user views the affected agent page, the payload executes in their browser, enabling session hijacking or unauthorized actions within the Jenkins instance. No public exploit or CISA KEV listing has been identified, and EPSS probability is low at 0.02%, reflecting the constrained attack surface from the required permission prerequisite.
Technical ContextAI
Jenkins (CPE: cpe:2.3:a:jenkins_project:jenkins) is a widely deployed open-source CI/CD automation server that exposes a POST config.xml REST API allowing users to configure agent (node) settings programmatically. One configurable field is the 'generic offline cause' description, which is displayed in the Jenkins web UI when an agent goes offline. The server fails to apply HTML entity encoding or output sanitization before rendering this field, constituting a CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS) defect. Because the malicious payload is persisted server-side and replayed to any user who loads the affected page, this is a stored/persistent XSS variant with cross-user impact, reflected in the CVSS 3.1 S:C (scope changed) metric.
RemediationAI
Upgrade Jenkins to weekly release 2.568 or LTS release 2.555.3, both confirmed as patched versions per EUVD-2026-36025 and the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3731. If immediate patching is not feasible, revoke or restrict Agent/Configure permission from any user who does not strictly require it, directly eliminating the attacker-controlled input vector; note this may disrupt legitimate agent management workflows and should be coordinated with operations teams. As a defense-in-depth measure, enforcing Jenkins' built-in Content Security Policy (CSP) header (configurable via 'Manage Jenkins > Script Console') can limit inline script execution and reduce XSS impact, though this does not patch the underlying encoding defect and may break some Jenkins plugins or UI features. No workaround fully substitutes for the vendor patch.
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex
The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/
A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36025
GHSA-93qh-vwrm-c5pw