Jenkins disclosed two Jenkins Core vulnerabilities affecting Jenkins 2.550 and earlier and LTS 2.541.1 and earlier: a high-severity stored XSS issue (CVE-2026-27099 / SECURITY-3669) and a medium-severity information disclosure issue via Run Parameter handling (CVE-2026-27100 / SECURITY-3658). The XSS flaw stems from improper escaping of user-supplied HTML in the node “offline cause” description (specifically the “Mark temporarily offline” reason), enabling attackers with Agent/Configure or Agent/Disconnect permissions to inject JavaScript that can execute in other users’ sessions.
Jenkins fixed both issues in Jenkins 2.551 and LTS 2.541.2 by escaping the offline-cause description and rejecting Run Parameter values that reference builds the submitting user cannot access. For CVE-2026-27099, Jenkins noted that on Jenkins 2.539+, enforcing Content Security Policy (CSP) can mitigate the impact (with partial protection referenced for newer versions). Both vulnerabilities were reported via the Jenkins Bug Bounty Program sponsored by the European Commission, and organizations running affected versions should prioritize upgrading to the patched releases to reduce risk to CI/CD build environments.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Jenkins addressed the disclosed vulnerabilities by releasing Jenkins 2.551 and LTS 2.541.2. The fixes escape user-supplied offline cause description input and reject unauthorized Run Parameter values; the advisory also noted CSP on Jenkins 2.539+ offers partial protection against the XSS issue.
Jenkins published a security advisory disclosing two core vulnerabilities affecting Jenkins 2.550 and earlier and LTS 2.541.1 and earlier: a high-severity stored XSS flaw in node offline cause descriptions (CVE-2026-27099) and a medium-severity information disclosure issue in Run Parameter handling (CVE-2026-27100).
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.