VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 10, 2026

CVE-2026-53441

CVE-2026-53441

Description

Jenkins 2.483-2.567 and LTS 2.492.1-2.555.2 are vulnerable to stored XSS via the offline cause description API, exploitable by users with Agent/Configure permission.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins 2.483-2.567 and LTS 2.492.1-2.555.2 are vulnerable to stored XSS via the offline cause description API, exploitable by users with Agent/Configure permission.

Vulnerability

Jenkins versions 2.483 through 2.567 and LTS 2.492.1 through 2.555.2 are affected by a stored cross-site scripting (XSS) vulnerability. This flaw exists because the user-provided description for a generic offline cause, which can be set via the POST config.xml API, is not properly escaped. [1]

Exploitation

An attacker with the Agent/Configure permission can exploit this vulnerability. The attacker needs to be able to POST to the config.xml API. By providing a malicious description for a generic offline cause, the attacker can inject script that will be executed in the browser of other users who view the affected configuration. [1]

Impact

Successful exploitation of this vulnerability results in stored XSS. This means that malicious scripts are stored within Jenkins and executed when other users interact with the affected configuration. The impact is limited to users who view the configuration, and the attacker gains the ability to execute arbitrary JavaScript in the context of the victim's browser session. [1]

Mitigation

This vulnerability is fixed in Jenkins 2.568 and LTS 2.555.3. Users are advised to update to these versions or later. No workarounds are specified in the available references. [1]

References
  1. Jenkins Security Advisory 2026-06-10

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

2