Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Jenkins Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2026-27099)

Description

Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.

Remediation

References

Related Vulnerabilities

WordPress Plugin Membership Simplified Multiple SQL Injection Vulnerabilities (1.58)

MyBB Other Vulnerability (CVE-2007-0544)

Oracle JRE CVE-2012-5083 Vulnerability (CVE-2012-5083)

Drupal Core 8.8.x Remote Code Execution (8.8.0 - 8.8.7)

Sqlite Integer Overflow or Wraparound Vulnerability (CVE-2025-29087)

Severity

High

Classification

CVE-2026-27099 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities