High severityNVD Advisory· Published Feb 18, 2026· Updated Feb 18, 2026
CVE-2026-27099
CVE-2026-27099
Description
Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | >= 2.542, < 2.551 | 2.551 |
org.jenkins-ci.main:jenkins-coreMaven | >= 2.483, < 2.541.2 | 2.541.2 |
Affected products
10- osv-coords9 versionspkg:apk/chainguard/jenkins-2.516pkg:apk/chainguard/jenkins-2.516-openjdk-17pkg:apk/chainguard/jenkins-2.516-openjdk-21pkg:apk/chainguard/jenkins-2.528pkg:apk/chainguard/jenkins-2.541pkg:apk/chainguard/jenkins-2.541-openjdk-17pkg:apk/chainguard/jenkins-2.541-openjdk-21pkg:bitnami/jenkinspkg:maven/org.jenkins-ci.main/jenkins-core
< 2.516.3-r4+ 8 more
- (no CPE)range: < 2.516.3-r4
- (no CPE)range: < 2.516.3-r4
- (no CPE)range: < 2.516.3-r4
- (no CPE)range: < 2.528.3-r3
- (no CPE)range: < 2.541.2-r0
- (no CPE)range: < 2.541.2-r0
- (no CPE)range: < 2.541.2-r0
- (no CPE)range: >= 2.483.0, < 2.541.2
- (no CPE)range: >= 2.542, < 2.551
- Range: 0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-85h6-5m3v-gx37ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27099ghsaADVISORY
- www.jenkins.io/security/advisory/2026-02-18/ghsavendor-advisoryWEB
- github.com/jenkinsci/jenkins/commit/578c028e2cdfdc9e124d0ca389a80bb2bd231ab2ghsaWEB
- github.com/jenkinsci/jenkins/releases/tag/jenkins-2.541.2ghsaWEB
- github.com/jenkinsci/jenkins/releases/tag/jenkins-2.551ghsaWEB
News mentions
1- Jenkins Security Advisory 2026-02-18Jenkins Security Advisories · Feb 18, 2026