{"id":"CVE-2026-53441","details":"Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.","aliases":["BIT-jenkins-2026-53441","GHSA-93qh-vwrm-c5pw"],"modified":"2026-07-15T06:10:07.923626Z","published":"2026-06-10T14:16:37.087Z","related":["CGA-83v4-g6cp-6wf4"],"references":[{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3731"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/jenkins","events":[{"introduced":"137b3d0ff9b7bace2b9683f1e616bbbbce7ad1ca"},{"fixed":"23e65e498a76c1747e2c35409b0f2b72c1a91265"},{"introduced":"cbd272880677edffab51c8f8f00ddfa35f8bf4ac"},{"fixed":"74ce59ebfb9ab2c4c58508a54939eb8765dd9ac5"}],"database_specific":{"cpe":["cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*","cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*"],"extracted_events":[{"introduced":"2.483"},{"fixed":"2.568"},{"introduced":"2.492.1"},{"fixed":"2.555.3"}],"source":"CPE_RANGE"}}],"versions":["jenkins-2.567","jenkins-2.555.3-rc-2","jenkins-2.555.3-rc","jenkins-2.566","jenkins-2.565","jenkins-2.555.2","jenkins-2.555.2-rc-2","jenkins-2.564","jenkins-2.555.2-rc","jenkins-2.563","jenkins-2.562","jenkins-2.561","jenkins-2.560","jenkins-2.555.1","jenkins-2.555.1-rc","jenkins-2.559","jenkins-2.558","jenkins-2.557","jenkins-2.556","jenkins-2.555","jenkins-2.554","jenkins-2.553","jenkins-2.552","jenkins-2.551","jenkins-2.550","jenkins-2.549","jenkins-2.548","jenkins-2.547","jenkins-2.546","jenkins-2.545","jenkins-2.544","jenkins-2.543","jenkins-2.542","jenkins-2.541","jenkins-2.540","jenkins-2.539","jenkins-2.538","jenkins-2.537","jenkins-2.536","jenkins-2.535","jenkins-2.534","jenkins-2.533","jenkins-2.532","jenkins-2.531","jenkins-2.530","jenkins-2.529","jenkins-2.528","jenkins-2.527","jenkins-2.526","jenkins-2.525","jenkins-2.524","jenkins-2.523","jenkins-2.522","jenkins-2.521","jenkins-2.520","jenkins-2.519","jenkins-2.518","jenkins-2.517","jenkins-2.516","jenkins-2.515","jenkins-2.514","jenkins-2.513","jenkins-2.512","jenkins-2.511","jenkins-2.510","jenkins-2.509","jenkins-2.508","jenkins-2.507","jenkins-2.506","jenkins-2.505","jenkins-2.504","jenkins-2.503","jenkins-2.502","jenkins-2.501","jenkins-2.500","jenkins-2.499","jenkins-2.498","jenkins-2.497","jenkins-2.496","jenkins-2.495","jenkins-2.494","jenkins-2.493","jenkins-2.492","jenkins-2.491","jenkins-2.490","jenkins-2.489","jenkins-2.488","jenkins-2.487","jenkins-2.486","jenkins-2.485","jenkins-2.484","jenkins-2.483"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53441.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}