{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-53441", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "state": "PUBLISHED", "assignerShortName": "jenkins", "dateReserved": "2026-06-09T14:26:44.789Z", "datePublished": "2026-06-10T13:06:01.921Z", "dateUpdated": "2026-06-10T13:06:01.921Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2026-06-10T13:06:01.921Z"}, "affected": [{"vendor": "Jenkins Project", "product": "Jenkins", "versions": [{"version": "0", "versionType": "maven", "lessThan": "2.483", "status": "unaffected"}, {"version": "2.568", "versionType": "maven", "lessThan": "*", "status": "unaffected"}, {"version": "2.555.3", "versionType": "maven", "lessThan": "2.555.*", "status": "unaffected"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission."}], "references": [{"name": "Jenkins Security Advisory 2026-06-10", "url": "https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3731", "tags": ["vendor-advisory"]}]}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "matchCriteriaId": "244741F0-DF87-4DFF-9A33-DFF0F9033CA9", "versionEndExcluding": "2.568", "versionStartIncluding": "2.483", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "A3ABB57C-A903-4BBD-B1DA-9EEEDCBC4FCB", "versionEndExcluding": "2.555.3", "versionStartIncluding": "2.492.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission."}], "id": "CVE-2026-53441", "lastModified": "2026-06-15T18:05:52.100", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-06-10T14:16:37.087", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3731"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "jenkins: Jenkins: Stored Cross-Site Scripting (XSS) via unescaped user-provided description", "id": "2487533", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487533"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.", "A flaw was found in Jenkins. This vulnerability, a stored cross-site scripting (XSS) issue, allows attackers with Agent/Configure permission to inject malicious scripts into the user-provided description of a generic offline cause. When other users view this description, the injected script can execute in their browser, potentially leading to information disclosure or unauthorized actions."], "mitigation": {"lang": "en:us", "value": "To fully mitigate this vulnerability, upgrade the Jenkins instance to version 2.568 or LTS 2.555.3 (or later). These releases officially resolve the issue by securely rendering the offline cause descriptions as plain text. If an immediate upgrade is not feasible, the risk can be significantly reduced by auditing Role-Based Access Control (RBAC) settings and strictly limiting the Agent/Configure permission to highly trusted, essential administrators only."}, "name": "CVE-2026-53441", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}], "public_date": "2026-06-10T13:06:01Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-53441\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-53441\nhttps://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3731"], "threat_severity": "Moderate"}