Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible
AnalysisAI
Reflected cross-site scripting in JetBrains TeamCity before version 2026.1.1 allows remote attackers to execute arbitrary JavaScript in a victim's browser session by tricking them into clicking a crafted URL targeting the keyword filter parameter. The flaw was reported by JetBrains and carries a CVSS 7.1 due to the high confidentiality impact possible against authenticated CI/CD users; no public exploit identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) a TeamCity Server running a version prior to 2026.1.1 that is network-reachable by the victim's browser, (2) a logged-in TeamCity user - typically a developer or administrator - who must be socially engineered into clicking an attacker-supplied URL containing the malicious payload in the keyword filter parameter (UI:R per CVSS), and (3) the victim's browser must execute the reflected JavaScript in the TeamCity origin. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 7.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) indicates a network-reachable, low-complexity, unauthenticated attack that requires user interaction (clicking a crafted link) and yields high confidentiality impact with limited integrity impact and no availability impact - characteristic of a reflected XSS leveraging the victim's authenticated session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL that injects malicious JavaScript into the keyword filter parameter of a TeamCity page and delivers it via phishing email, chat, or a watering-hole page targeting a TeamCity administrator. When the authenticated administrator clicks the link, the script executes in their browser under the TeamCity origin and can exfiltrate session tokens, modify build configurations, or pivot to inject malicious steps into build pipelines that touch source code and production deployment artifacts. |
| Remediation | Upgrade to JetBrains TeamCity 2026.1.1 or later, which is the vendor-released patched version per the JetBrains security advisory at https://www.jetbrains.com/privacy-security/issues-fixed/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all TeamCity instances and document their versions; restrict external sharing of TeamCity links and educate users not to click untrusted links to TeamCity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in JetBrains TeamCity allows remote unauthenticated attackers to gain unauthorized access to serve
In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab. Rated medi
In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources. Rated h
Information disclosure in JetBrains TeamCity prior to version 2026.1 allows authenticated low-privilege users to read se
Server-side request forgery in JetBrains TeamCity versions prior to 2026.1 and 2025.11.5 allows remote unauthenticated a
Remote code execution in JetBrains TeamCity versions prior to 2026.1 is achievable by authenticated users who can config
Credential exposure in JetBrains TeamCity before version 2026.1 allows authenticated remote attackers to retrieve sensit
Insufficient username validation in the SAML plugin of JetBrains TeamCity before 2026.1 allows unauthenticated remote at
Reflected cross-site scripting on the TeamCity repository download page allows a remote unauthenticated attacker to inje
In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible
In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible
In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible. Rated medium se
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33379
GHSA-jjhv-75hw-cg7g