Jenkins Patches Stored XSS and Information Disclosure Flaws in Core
Jenkins released Security Advisory 2026-02-18 addressing two vulnerabilities in Jenkins Core, including a stored XSS flaw rated High severity.
Jenkins released Security Advisory 2026-02-18 on February 18, 2026, addressing two vulnerabilities in Jenkins Core. The advisory details a stored cross-site scripting (XSS) vulnerability and an information disclosure flaw, both of which have been patched in the latest weekly and LTS releases.
The more severe of the two, tracked as CVE-2026-27099 (SECURITY-3669), is a stored XSS vulnerability in the node offline cause description. Since Jenkins 2.483, the description of why a node is offline has been defined as containing HTML and rendered as such. Jenkins 2.550 and earlier, as well as LTS 2.541.1 and earlier, do not escape the user-provided description of the "Mark temporarily offline" offline cause. This allows attackers with Agent/Configure or Agent/Disconnect permission to inject malicious scripts that execute in the context of other users viewing the node status. The vulnerability has been assigned a CVSS score of High.
The second vulnerability, CVE-2026-27100 (SECURITY-3658), is a medium-severity information disclosure flaw. Jenkins 2.550 and earlier, along with LTS 2.541.1 and earlier, accept Run Parameter values that refer to builds the user submitting the build does not have access to. Attackers with Item/Build and Item/Configure permission can exploit this to determine the existence of jobs and builds, and if a specified build exists, its display name. This information leakage could aid in reconnaissance for further attacks.
Both vulnerabilities have been fixed in Jenkins weekly version 2.551 and LTS version 2.541.2. The Jenkins project strongly recommends that all users upgrade to these versions immediately. All prior versions are considered affected unless otherwise indicated.
The vulnerabilities were discovered and reported by independent researchers. Muhammed Niazy (Wolfman) and, independently, Elie Metahri of the Airbus Protect Offensive Security Team reported the stored XSS issue (SECURITY-3669). Suman Roy reported the information disclosure flaw (SECURITY-3658).
This advisory follows a pattern of regular security updates from Jenkins, which continues to address vulnerabilities in its widely used automation server. Organizations running Jenkins should prioritize applying these patches, particularly the stored XSS fix, which could be exploited to compromise administrative sessions or steal sensitive data. The disclosure also highlights the importance of input sanitization in user-facing fields, even in enterprise software.