Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attacker needs agent access (PR:L) and an admin must view the page (UI:R); script crosses into the browser context (S:C) with limited confidentiality/integrity impact typical of stored XSS (C:L/I:L).
Primary rating from Vendor (JetBrains).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionNVD
In JetBrains TeamCity before 2026.1.2 stored XSS on the cloud profile page was possible via agent-reported data
AnalysisAI
Stored cross-site scripting in JetBrains TeamCity before 2026.1.2 lets an attacker who controls a build agent persist a malicious script into agent-reported data that executes when a privileged user opens the cloud profile page. Because it fires in the browser session of an operator with access to CI/CD configuration, it can lead to session/token theft and actions performed as the victim. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to control a build agent that connects to the TeamCity server and submits the agent-reported data used to render the cloud profile page, meaning agent-level access/authorization is a prerequisite (consistent with PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, 7.3 High) reflects a network-reachable but authenticated flaw requiring victim interaction; the C:H/I:H rating is aggressive for an XSS and likely reflects the administrative context of the cloud profile page rather than direct server compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can register or compromise a build agent configures it to report data containing a crafted JavaScript payload; the payload is stored by TeamCity. When an administrator opens the cloud profile page, the script executes in their authenticated session, allowing the attacker to steal session tokens or perform administrative actions as that user. … |
| Remediation | Vendor-released patch: upgrade to JetBrains TeamCity 2026.1.2 or later, which is the primary and definitive fix (see https://www.jetbrains.com/privacy-security/issues-fixed/). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all TeamCity instances and versions in use; restrict network access for build agents and TeamCity UI to trusted, monitored networks and authorized users only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible. Rated criti
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible. Rated criti
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible. Rated critical severity (CVSS
In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration. Rated critical s
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific e
In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possible. Rated c
JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration. Rated
In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible. Rated critical sev
In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible. Rated critical severity (CVSS 9
In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases. Rated critical severity (CVS
In JetBrains TeamCity before 2021.1.2, permission checks in the Agent Push functionality were insufficient. Rated critic
In JetBrains TeamCity before 2021.1.2, remote code execution via the agent push functionality is possible. Rated critica
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42912
GHSA-5526-463r-44x5