Stored XSS via POST config.xml API in Jenkins 2.483-2.567 & LTS 2.492.1-2.555.2
CVE-2026-53441 Published on June 10, 2026

Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

Vendor Advisory NVD

Products Associated with CVE-2026-53441

Want to know whenever a new CVE is published for Jenkins? stack.watch will email you.

Jenkins

Affected Versions

Jenkins Project Jenkins:

Before 2.483 is unaffected.
Version 2.568 and below * is unaffected.
Version 2.555.3 and below 2.555.* is unaffected.

Stored XSS via POST config.xml API in Jenkins 2.483-2.567 & LTS 2.492.1-2.555.2CVE-2026-53441 Published on June 10, 2026

Products Associated with CVE-2026-53441

Affected Versions

Stored XSS via POST config.xml API in Jenkins 2.483-2.567 & LTS 2.492.1-2.555.2
CVE-2026-53441 Published on June 10, 2026