Skip to main content

Jenkins CVE-2026-53441

| EUVDEUVD-2026-36025 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-10 jenkins GHSA-93qh-vwrm-c5pw
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L reflects mandatory Agent/Configure permission; UI:R captures required victim page view; S:C models cross-user browser-session scope change inherent to stored XSS.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Red Hat
5.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 15, 2026 - 18:08 vuln.today
CVSS changed
Jun 15, 2026 - 18:07 NVD
5.4 (MEDIUM)
CVE Published
Jun 10, 2026 - 13:06 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 maven packages depend on org.jenkins-ci.main:jenkins-core (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.483.

DescriptionNVD

Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the POST config.xml API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

AnalysisAI

Stored XSS in Jenkins 2.483-2.567 and LTS 2.492.1-2.555.2 allows attackers holding Agent/Configure permission to inject persistent malicious scripts via the POST config.xml API by supplying an unescaped generic offline cause description. When any Jenkins user views the affected agent page, the payload executes in their browser, enabling session hijacking or unauthorized actions within the Jenkins instance. No public exploit or CISA KEV listing has been identified, and EPSS probability is low at 0.02%, reflecting the constrained attack surface from the required permission prerequisite.

Technical ContextAI

Jenkins (CPE: cpe:2.3:a:jenkins_project:jenkins) is a widely deployed open-source CI/CD automation server that exposes a POST config.xml REST API allowing users to configure agent (node) settings programmatically. One configurable field is the 'generic offline cause' description, which is displayed in the Jenkins web UI when an agent goes offline. The server fails to apply HTML entity encoding or output sanitization before rendering this field, constituting a CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS) defect. Because the malicious payload is persisted server-side and replayed to any user who loads the affected page, this is a stored/persistent XSS variant with cross-user impact, reflected in the CVSS 3.1 S:C (scope changed) metric.

RemediationAI

Upgrade Jenkins to weekly release 2.568 or LTS release 2.555.3, both confirmed as patched versions per EUVD-2026-36025 and the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3731. If immediate patching is not feasible, revoke or restrict Agent/Configure permission from any user who does not strictly require it, directly eliminating the attacker-controlled input vector; note this may disrupt legitimate agent management workflows and should be coordinated with operations teams. As a defense-in-depth measure, enforcing Jenkins' built-in Content Security Policy (CSP) header (configurable via 'Manage Jenkins > Script Console') can limit inline script execution and reduce XSS impact, though this does not patch the underlying encoding defect and may break some Jenkins plugins or UI features. No workaround fully substitutes for the vendor patch.

CVE-2015-8103 CRITICAL POC
9.8 Nov 25

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co

CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2016-0792 HIGH POC
8.8 Apr 07

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex

CVE-2015-5317 HIGH
7.5 Nov 25

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j

CVE-2016-0788 CRITICAL
9.8 Apr 07

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by

CVE-2019-1003029 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/

CVE-2018-1000861 CRITICAL POC
9.8 Dec 10

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea

CVE-2019-1003005 HIGH POC
8.8 Feb 06

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/

CVE-2019-1003002 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.

CVE-2019-1003001 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins

CVE-2019-1003000 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/

CVE-2019-1003030 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/

Vendor StatusVendor

Share

CVE-2026-53441 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy