{"id":"CVE-2026-27099","details":"Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the \"Mark temporarily offline\" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.","aliases":["BIT-jenkins-2026-27099","GHSA-85h6-5m3v-gx37"],"modified":"2026-03-13T04:11:48.379467Z","published":"2026-02-18T15:18:43.857Z","related":["CGA-97g9-5243-wvcj"],"references":[{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/jenkins","events":[{"introduced":"137b3d0ff9b7bace2b9683f1e616bbbbce7ad1ca"},{"fixed":"714eeca02d35290fafb5f46dfa5a7ac1e4f26bab"},{"introduced":"cbd272880677edffab51c8f8f00ddfa35f8bf4ac"},{"fixed":"fc71f0677ff81340ba7eb19b2d571fb9af230437"}],"database_specific":{"versions":[{"introduced":"2.483"},{"fixed":"2.551"},{"introduced":"2.492.1"},{"fixed":"2.541.2"}]}}],"versions":["jenkins-2.483","jenkins-2.484","jenkins-2.485","jenkins-2.486","jenkins-2.487","jenkins-2.488","jenkins-2.489","jenkins-2.490","jenkins-2.491","jenkins-2.492","jenkins-2.493","jenkins-2.494","jenkins-2.495","jenkins-2.496","jenkins-2.497","jenkins-2.498","jenkins-2.499","jenkins-2.500","jenkins-2.501","jenkins-2.502","jenkins-2.503","jenkins-2.504","jenkins-2.505","jenkins-2.506","jenkins-2.507","jenkins-2.508","jenkins-2.509","jenkins-2.510","jenkins-2.511","jenkins-2.512","jenkins-2.513","jenkins-2.514","jenkins-2.515","jenkins-2.516","jenkins-2.517","jenkins-2.518","jenkins-2.519","jenkins-2.520","jenkins-2.521","jenkins-2.522","jenkins-2.523","jenkins-2.524","jenkins-2.525","jenkins-2.526","jenkins-2.527","jenkins-2.528","jenkins-2.529","jenkins-2.530","jenkins-2.531","jenkins-2.532","jenkins-2.533","jenkins-2.534","jenkins-2.535","jenkins-2.536","jenkins-2.537","jenkins-2.538","jenkins-2.539","jenkins-2.540","jenkins-2.541","jenkins-2.541.1","jenkins-2.541.1-rc","jenkins-2.541.2-rc","jenkins-2.542","jenkins-2.543","jenkins-2.544","jenkins-2.545","jenkins-2.546","jenkins-2.547","jenkins-2.548","jenkins-2.549","jenkins-2.550"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27099.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}]}