CVE-2026-53441: Jenkins: Stored XSS vulnerability in node offline cause description

June 10, 2026 (updated June 12, 2026)

Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the POST config.xml API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

References

github.com/advisories/GHSA-93qh-vwrm-c5pw
github.com/jenkinsci/jenkins/commit/20041e8090d3b228d586169141ea7f12ffe4444d
nvd.nist.gov/vuln/detail/CVE-2026-53441
www.jenkins.io/security/advisory/2026-06-10/

Code Behaviors & Features

Detect and mitigate CVE-2026-53441 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →