PatchSiren cyber security CVE debrief
CVE-2026-53441 Jenkins Project CVE debrief
CVE-2026-53441 is a stored cross-site scripting (XSS) vulnerability in Jenkins 2.483 through 2.567 and LTS 2.492.1 through 2.555.2. The vulnerability occurs because Jenkins does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API. This allows attackers with Agent/Configure permission to exploit the vulnerability.
- Vendor
- Jenkins Project
- Product
- Jenkins
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Jenkins 2.483 through 2.567 and LTS 2.492.1 through 2.555.2, particularly those with Agent/Configure permission.
Technical summary
The vulnerability is caused by a lack of input validation and sanitization in Jenkins. Specifically, the user-provided description of a generic offline cause is not escaped, allowing an attacker to inject malicious JavaScript code. This code can then be executed by other users who view the description, potentially leading to unauthorized actions or data theft.
Defensive priority
High
Recommended defensive actions
- Update Jenkins to a version that fixes the vulnerability.
- Restrict access to the `POST config.xml` API to prevent unauthorized users from setting malicious descriptions.
- Monitor Jenkins instances for suspicious activity.
Evidence notes
The CVE record and NVD detail provide evidence of the vulnerability. The Jenkins security advisory provides additional information on the vulnerability and the fix.
Official resources
-
CVE-2026-53441 CVE record
CVE.org
-
CVE-2026-53441 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-53441 was published on 2026-06-10T14:16:37.087Z and modified on 2026-06-10T19:43:28.857Z.