Jenkins Stored XSS and Build Info Disclosure Vulnerabilities (CVE-2026-27099/27100)

Critical Vulnerability Information 1. Stored XSS Vulnerability CVE ID: CVE-2026-27099 Severity: High Description: - In Jenkins 2.483 and later versions, the offline reason description for nodes uses HTML, and user input is not properly escaped during rendering. - Attackers can exploit this vulnerability to perform cross-site scripting (XSS) attacks if they have Agent/Configure or Agent/Disconnect permissions. - This vulnerability has been fixed in Jenkins 2.551 and later versions, as well as in LTS 2.541.2 and later versions. - Implementing a Content Security Policy (CSP) can further mitigate this vulnerability in Jenkins 2.539 and later versions. 2. Vulnerability Exposing Build Information via Build Parameters CVE ID: CVE-2026-27100 Severity: - SECURITY-3658: Medium - SECURITY-3669: High Description: - Jenkins versions 2.550 and earlier, and LTS versions 2.541.1 and earlier, allow users to retrieve build information that they do not have permission to access via build parameters. - Exploiting this vulnerability, attackers can obtain information about existing build jobs, build details, and display names of specific builds. - Jenkins 2.551 and later versions, as well as LTS 2.541.2 and later versions, now reject build parameter references to builds that the user does not have permission to access. Affected Versions Jenkins weekly: 2.550 and earlier Jenkins LTS: 2.541.1 and earlier Remediation Jenkins weekly users should upgrade to version 2.551 or later. Jenkins LTS users should upgrade to version 2.541.2 or later. Vulnerability Reports SECURITY-3669: Reported by Muhammed Niazy (Wolfman) SECURITY-3658: Reported by Suman Roy via the Jenkins Bug Bounty Program

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Stored XSS and Build Info Disclosure Vulnerabilities (CVE-2026-27099/27100)