Teamcity
CVE-2025-26493
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab
AnalysisAI
In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 15.7% and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab Affected products include: Jetbrains Teamcity. Version information: before 2024.12.2.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Authentication bypass in JetBrains TeamCity allows remote unauthenticated attackers to gain unauthorized access to serve
In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources. Rated h
Information disclosure in JetBrains TeamCity prior to version 2026.1 allows authenticated low-privilege users to read se
Server-side request forgery in JetBrains TeamCity versions prior to 2026.1 and 2025.11.5 allows remote unauthenticated a
Reflected cross-site scripting in JetBrains TeamCity before version 2026.1.1 allows remote attackers to execute arbitrar
Remote code execution in JetBrains TeamCity versions prior to 2026.1 is achievable by authenticated users who can config
Credential exposure in JetBrains TeamCity before version 2026.1 allows authenticated remote attackers to retrieve sensit
Insufficient username validation in the SAML plugin of JetBrains TeamCity before 2026.1 allows unauthenticated remote at
Reflected cross-site scripting on the TeamCity repository download page allows a remote unauthenticated attacker to inje
In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible
In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible
In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible. Rated medium se
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today