Skip to main content

JetBrains TeamCity CVE-2026-59795

| EUVDEUVD-2026-42913 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-10 JetBrains GHSA-ch3x-q6cp-54rw
6.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (JetBrains) PRIMARY
HIGH
qualitative
NVD
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Unauthenticated network injection (PR:N/AV:N) but fires only when a victim views the page (UI:R); stored XSS executes in the victim's browser context, so S:C with limited C/I and no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (JetBrains).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Severity Changed
Jul 13, 2026 - 15:37 NVD
HIGH MEDIUM
CVSS changed
Jul 13, 2026 - 15:37 NVD
8.1 (HIGH) 6.1 (MEDIUM)
Patch available
Jul 10, 2026 - 16:16 EUVD
Analysis Generated
Jul 10, 2026 - 15:45 vuln.today
CVE Published
Jul 10, 2026 - 14:18 cve.org
HIGH 8.1

DescriptionNVD

In JetBrains TeamCity before 2026.1.2 stored XSS via unauthenticated agent registration was possible

AnalysisAI

Stored cross-site scripting in JetBrains TeamCity before 2026.1.2 lets an unauthenticated attacker persist malicious script through the agent registration flow, which then executes in the browser of any privileged user (e.g. an administrator) who later views the affected agent-management interface. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach TeamCity server over network
Delivery
Register malicious agent unauthenticated
Exploit
Store XSS payload in agent metadata
Execution
Admin views agent-management page
Persist
Script executes in admin session
Impact
Steal session/token, act as admin

Vulnerability AssessmentAI

Exploitation Exploitation requires that the TeamCity server's agent registration is reachable by the attacker and accepts registrations without authentication (PR:N), which is the default agent-connection model; the attacker injects the stored payload during that registration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), reflecting network reachability, low complexity, and no privileges required, offset only by required user interaction (a privileged user must view the poisoned content). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with only network access to the TeamCity server registers a malicious build agent, embedding a JavaScript payload in an agent-controlled field that is stored by the server. When an administrator later opens the agent list or agent details page, the payload executes in their authenticated session, allowing the attacker to steal session cookies/CSRF tokens or issue actions as that admin - potentially leading to takeover of the CI/CD pipeline. …
Remediation Vendor-released patch: 2026.1.2 - upgrade the TeamCity server to 2026.1.2 or later, which is the primary and authoritative fix; consult the JetBrains security bulletin at https://www.jetbrains.com/privacy-security/issues-fixed/ for release specifics. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all TeamCity instances and versions < 2026.1.2; review agent registration logs for suspicious activity and preserve for investigation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-27198 CRITICAL POC
9.8 Mar 04

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible. Rated criti

CVE-2023-42793 CRITICAL POC
9.8 Sep 19

In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible. Rated criti

CVE-2024-23917 CRITICAL POC
9.8 Feb 06

In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible. Rated critical severity (CVSS

CVE-2024-41827 CRITICAL
9.8 Jul 22

In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration. Rated critical s

CVE-2024-36470 CRITICAL
9.8 May 29

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific e

CVE-2023-34218 CRITICAL
9.8 May 31

In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possible. Rated c

CVE-2022-25263 CRITICAL
9.8 Feb 25

JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration. Rated

CVE-2022-24340 CRITICAL
9.8 Feb 25

In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible. Rated critical sev

CVE-2022-24331 CRITICAL
9.8 Feb 25

In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible. Rated critical severity (CVSS 9

CVE-2021-43202 CRITICAL
9.8 Nov 30

In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases. Rated critical severity (CVS

CVE-2021-43200 CRITICAL
9.8 Nov 09

In JetBrains TeamCity before 2021.1.2, permission checks in the Agent Push functionality were insufficient. Rated critic

CVE-2021-43193 CRITICAL
9.8 Nov 09

In JetBrains TeamCity before 2021.1.2, remote code execution via the agent push functionality is possible. Rated critica

Share

CVE-2026-59795 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy