Low severityNVD Advisory· Published Nov 25, 2015· Updated May 6, 2026

CVE-2015-5326

Description

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.main:jenkins-coreMaven	< 1.625.2	1.625.2
org.jenkins-ci.main:jenkins-coreMaven	>= 1.626, < 1.638	1.638

Affected products

Jenkins Project/Jenkins2 versions
cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*range: <=1.637
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*range: <=1.625.1
Red Hat/Openshift2 versions
cpe:2.3:a:redhat:openshift:2.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:redhat:openshift:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift:*:*:*:*:enterprise:*:*:*range: <=3.1

Patches

abe561499bbb

[SECURITY-214] OfflineCause.toString() is a string, not necessarily HTML

https://github.com/jenkinsci/jenkinsKohsuke KawaguchiNov 4, 2015via ghsa

commit

2 files changed · +3 −3

core/src/main/java/hudson/node_monitors/ResponseTimeMonitor.java+2 −2 modified

@@ -188,7 +188,7 @@ public boolean hasTooManyTimeouts() {
         }
 
         /**
-         * HTML rendering of the data
+         * String rendering of the data
          */
         @Override
         public String toString() {
@@ -200,7 +200,7 @@ public String toString() {
 //            return buf.toString();
             int fc = failureCount();
             if(fc>0)
-                return Util.wrapToErrorSpan(Messages.ResponseTimeMonitor_TimeOut(fc));
+                return Messages.ResponseTimeMonitor_TimeOut(fc);
             return getAverage()+"ms";
         }

core/src/main/resources/hudson/slaves/OfflineCause/cause.jelly+1 −1 modified

@@ -24,5 +24,5 @@ THE SOFTWARE.
 
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-  <p class="warning"><j:out value="${it}" /></p>
+  <p class="warning">${it}</p>
 </j:jelly>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-5mwr-jg3r-jv66ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2015-5326ghsaADVISORY
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11nvdVendor AdvisoryWEB
rhn.redhat.com/errata/RHSA-2016-0489.htmlnvdWEB
access.redhat.com/errata/RHSA-2016:0070nvdWEB
github.com/jenkinsci/jenkins/commit/abe561499bbba2e725804c1117fc957028bbd608ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000