Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-27099

Опубликовано: 18 фев. 2026
Источник: redhat
CVSS3: 4.6

Описание

Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.

A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.

Отчет

This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the "Mark temporarily offline" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user's browser when viewing the affected description. Red Hat OpenShift Developer Tools & Services are affected.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Developer Tools and ServicesjenkinsFix deferred
OpenShift Developer Tools and Servicesocp-tools-4/jenkins-rhel8Affected
OpenShift Developer Tools and Servicesocp-tools-4/jenkins-rhel9Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=2440638org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description

4.6 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2026-27099

CVSS3: 8
nvd
около 1 месяца назад

Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.

redos логотип

ROS-20260320-73-0005

CVSS3: 8
redos
7 дней назад

Уязвимость jenkins

github логотип

GHSA-85h6-5m3v-gx37

CVSS3: 8
github
около 1 месяца назад

Jenkins has a stored XSS vulnerability in node offline cause description

4.6 Medium

CVSS3