Skip to main content

Teamcity CVE-2025-52876

| EUVDEUVD-2025-18915 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-06-23 cve@jetbrains.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2025.03.3
EUVD ID Assigned
Mar 15, 2026 - 22:10 euvd
EUVD-2025-18915
Analysis Generated
Mar 15, 2026 - 22:10 vuln.today
CVE Published
Jun 23, 2025 - 15:15 nvd
MEDIUM 5.4

DescriptionCVE.org

In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible

Analysis

In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

CVE-2026-44413 HIGH
8.2 May 11

Authentication bypass in JetBrains TeamCity allows remote unauthenticated attackers to gain unauthorized access to serve

CVE-2025-26493 MEDIUM
4.6 Feb 11

In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab. Rated medi

CVE-2025-26492 HIGH
7.7 Feb 11

In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources. Rated h

CVE-2026-49374 HIGH
7.6 May 29

Information disclosure in JetBrains TeamCity prior to version 2026.1 allows authenticated low-privilege users to read se

CVE-2026-49372 HIGH
7.5 May 29

Server-side request forgery in JetBrains TeamCity versions prior to 2026.1 and 2025.11.5 allows remote unauthenticated a

CVE-2026-49371 HIGH
7.1 May 29

Reflected cross-site scripting in JetBrains TeamCity before version 2026.1.1 allows remote attackers to execute arbitrar

CVE-2026-49373 HIGH
7.1 May 29

Remote code execution in JetBrains TeamCity versions prior to 2026.1 is achievable by authenticated users who can config

CVE-2026-49379 MEDIUM
6.5 May 29

Credential exposure in JetBrains TeamCity before version 2026.1 allows authenticated remote attackers to retrieve sensit

CVE-2026-49376 MEDIUM
6.5 May 29

Insufficient username validation in the SAML plugin of JetBrains TeamCity before 2026.1 allows unauthenticated remote at

CVE-2026-49375 MEDIUM
6.1 May 29

Reflected cross-site scripting on the TeamCity repository download page allows a remote unauthenticated attacker to inje

CVE-2025-52875 MEDIUM
5.4 Jun 23

In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible

CVE-2025-46433 MEDIUM
4.9 Apr 25

In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible. Rated medium se

Share

CVE-2025-52876 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy