Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Jenkins Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2026-27099)

Description

Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.

Remediation

References

Related Vulnerabilities

WordPress Plugin Import any XML or CSV File to WordPress Arbitrary File Upload (3.2.3)

WordPress Plugin Real-Time Find and Replace Cross-Site Scripting (3.8)

WebLogic CVE-2024-21234 Vulnerability (CVE-2024-21234)

WordPress Plugin All-in-One Addons for Elementor-WidgetKit Cross-Site Scripting (2.4.3)

WordPress Plugin Zingiri Web Shop 'abspath' Parameter Remote File Include (2.4.6)

Severity

High

Classification

CVE-2026-27099 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities