From 52d7aadfebf017dda16b96a4d2ee2a4007e779ef Mon Sep 17 00:00:00 2001
From: Lohit Kolluri <lohitkolluri@gmail.com>
Date: Thu, 11 Jun 2026 17:48:09 +0530
Subject: [PATCH] Improve GHSA-93qh-vwrm-c5pw

---
 .../GHSA-93qh-vwrm-c5pw.json                  | 44 ++++++++++++++++---
 1 file changed, 38 insertions(+), 6 deletions(-)

diff --git a/advisories/unreviewed/2026/06/GHSA-93qh-vwrm-c5pw/GHSA-93qh-vwrm-c5pw.json b/advisories/unreviewed/2026/06/GHSA-93qh-vwrm-c5pw/GHSA-93qh-vwrm-c5pw.json
index c53892f04aa14..9a04c770d1de0 100644
--- a/advisories/unreviewed/2026/06/GHSA-93qh-vwrm-c5pw/GHSA-93qh-vwrm-c5pw.json
+++ b/advisories/unreviewed/2026/06/GHSA-93qh-vwrm-c5pw/GHSA-93qh-vwrm-c5pw.json
@@ -1,27 +1,59 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-93qh-vwrm-c5pw",
-  "modified": "2026-06-10T15:31:31Z",
+  "modified": "2026-06-10T15:31:49Z",
   "published": "2026-06-10T15:31:31Z",
   "aliases": [
     "CVE-2026-53441"
   ],
-  "details": "Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.",
-  "severity": [],
-  "affected": [],
+  "summary": "Stored XSS vulnerability in node offline cause description",
+  "details": "Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not escape the user-provided description of a generic offline cause that could be set through the POST config.xml API. Since Jenkins 2.483, the description of the reason why a node is offline (the \"offline cause\") is defined as containing HTML and rendered as such. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission. Jenkins 2.568, LTS 2.555.3 redefines all offline cause descriptions rendered through the default UI as plain text. On Jenkins 2.539 and newer, LTS 2.541.1 and newer, enforcing Content Security Policy protection mitigates this vulnerability. This vulnerability is due to an incomplete fix of SECURITY-3669 in the 2026-02-18 security advisory.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.jenkins-ci.main:jenkins-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.568"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53441"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/jenkinsci/jenkins"
+    },
     {
       "type": "WEB",
       "url": "https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3731"
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-06-10T14:16:37Z"