—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Jenkins

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Jenkins weekly versions 2.550 and prior

Jenkins LTS versions 2.541.1 and prior

Overview

Multiple vulnerabilities have been reported in Jenkins, which could allow authenticated attackers to perform stored cross-site scripting (XSS) attacks and gain unauthorized access to restricted build information on affected systems.

Target Audience:

All organizations and individuals using Jenkins.

Risk Assessment:

High risk of administrative session compromise and exposure of sensitive CI/CD data due to improper input validation and insufficient access controls.

Impact Assessment:

Potential for stored cross-site scripting (XSS) and unauthorized access to restricted build information.

Description

Jenkins is an open-source automation server used for continuous integration (CI) and continuous delivery (CD), enabling developers to build, test, and deploy applications efficiently.

These vulnerabilities exist in Jenkins due to improper input validation in the node ‘offline cause’ field, leading to stored cross-site scripting (XSS), and insufficient validation of Run Parameter values, allowing access to unauthorized build information.

Successful exploitation could enable attackers with specific permissions to inject malicious scripts or access restricted build metadata.

Solution

Apply appropriate updates as mentioned as mentioned by the Vendor:

https://www.jenkins.io/security/advisory/2026-02-18/

Vendor Information

Jenkins

https://www.jenkins.io/security/

References

 

https://www.jenkins.io/security/advisory/2026-02-18/

CVE Name

CVE-2026-27099

CVE-2025-27100

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmmYfAoACgkQ3jCgcSdc

ys8P0w/9EJb9gkNsogX93pz1cA1YKO3COSJRf4xOijiTmv+AnXWFDpG9wxWFsZb7

vu038JirXl8VdaNISj76yBG9dsvjnKX3GMIjpxjLnxRSWL+wk7c47VEtLLzPLJ2k

n/mjyTmEZ5ONIEbhpgM8BBlm8CBy4WE8iwkLVlJHWJirgv2PPi288mo67/VZ1iGt

wMff4JGdSCmzXn4jb8UZaZhRYMjRtj+44Yd0oaqt3WtKDMaUUxCCLCXjHGrTCRS6

SnTI3V8xCsVYNZVqjKAE8T1/onHf2Zj1Zm0Vrfgys5eUsY+M6gaYHE1EN75UIoiy

FTR2H2qszISpR9CuGKMdSO59V2062eeb9UQfhxi67XBTlcHIERzVtOb/4+dFwd1I

K5WTECMMubTKYHk8MnbjrhEh4g5acCvXok7j/Zj43tMHWlXtlKWCKNNtPzk8bbpp

ywluJuAkNqgSBZ4pUuwKPhcaUuExguoQyu/vYjV0aVdY21Rd7Z7bwW9V2IRaCP4Z

sMjmJbMN0x1Y3b6WrydRQPhnmpC+saR5VGJxSsHQtK5kRFqPEVqS2tXl4FfzYvlo

k8MSSV2QGPiz9L/SuM4wd+59Zzui9WOrOe39bUT32gu7XGmxUFvI3Tqlx9NfJkcm

0L4E1isVeKFKkZ004qTGmxVOwysLMRmKclELO7g8vWifHaW7iYk=

=1Tv+

—–END PGP SIGNATURE—–