Critical Jenkins Vulnerability Exposes Build Environments to XSS Attacks - CyberSecurityNews

Home Cyber Security News Critical Jenkins Vulnerability Exposes Build Environments to XSS Attacks Jenkins Vulnerability Exposes XSS Attacks Security Advisory has revealed multiple vulnerabilities in Jenkins Core, including a stored Cross-Site Scripting (XSS) flaw that could expose build environments to severe security risks. The issues, identified as CVE-2026-27099 and CVE-2026-27100, were responsibly disclosed under the Jenkins Bug Bounty Program sponsored by the European Commission. The most critical of the two, tracked as CVE-2026-27099, is a high-severity stored XSS vulnerability that impacts Jenkins versions 2.550 and earlier, as well as LTS versions 2.541.1 and earlier. The flaw originates in how Jenkins handles “offline cause descriptions,” which explain why a build node goes offline. Since version 2.483, these descriptions allowed HTML content, but the input wasn’t properly escaped in vulnerable versions. CVE ID CVSS Score Description Affected Versions CVE-2026-27099 High Stored XSS in node offline cause description Jenkins ≤ 2.550, LTS ≤ 2.541.1 CVE-2026-27100 Medium Build information disclosure via Run Parameter Jenkins ≤ 2.550, LTS ≤ 2.541.1 An attacker with Agent/Configure or Agent/Disconnect permissions could inject malicious JavaScript into the offline cause description, potentially compromising other users’ sessions. Jenkins versions 2.551 and LTS 2.541.2 address this issue by escaping user-supplied input. Additionally, instances using Content Security Policy (CSP) enforcement on Jenkins 2.539 and newer are partially protected against these attacks. The second vulnerability, CVE-2026-27100, rated medium severity, affects how Jenkins handles Run Parameter values. In affected versions up to 2.550 (and LTS 2.541.1), users could query builds or jobs they didn’t have permission to access. This allowed attackers to determine whether specific projects or builds existed, potentially leading to information disclosure within the Jenkins environment. Jenkins 2.551 and LTS 2.541.2 now properly reject unauthorized Run Parameter values, preventing this type of data leakage. Jenkins administrators are strongly advised to update to the latest versions 2.551 or LTS 2.541.2 to mitigate both vulnerabilities. Builds that rely on older versions remain at risk of script injection and unauthorized exposure of build information. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber AI Anthropic Launches Projects Feature for Claude Cowork Desktop Cyber Security News Windows 11 March Update Breaks Microsoft Teams and OneDrive Sign-Ins Cyber Security News Hackers Compromised 7,500+ Magento Websites to Upload Hidden Malicious Files and Steal Data Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026