Stored XSS via POST config.xml API in Jenkins 2.483-2.567 & LTS 2.492.1-2.555.2
CVE-2026-53441 Published on June 10, 2026

Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

Vendor Advisory NVD


Products Associated with CVE-2026-53441

Want to know whenever a new CVE is published for Jenkins? stack.watch will email you.

 

Affected Versions

Jenkins Project Jenkins:

Exploit Probability

EPSS
0.24%
Percentile
14.98%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.