CVE-2026-27099

HIGH

org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description

CVSS v3

8

HIGH

EPSS Score

0.1%

exploit probability

CISA KEV

No

known exploited

Exploitation

none

SSVC status

Description

Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.

Technical Details

CVSS v3 Vector
3.1
Published
2/18/2026
Last Modified
2/20/2026

Frequently Asked Questions

What is CVE-2026-27099?

Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.

Is CVE-2026-27099 actively exploited?

Active exploitation of CVE-2026-27099 has not been confirmed. The EPSS score is 0.1%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2026-27099?

CVE-2026-27099 has a CVSS v3 base score of 8 (HIGH severity), with vector string 3.1.

Is CVE-2026-27099 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.