Skip to main content

Teamcity

241 CVEs product

Monthly

CVE-2026-59796 HIGH PATCH This Week

Improper permission enforcement in JetBrains TeamCity before 2026.1.2 lets authenticated low-privilege users modify CI/CD pipelines they should not control, undermining build integrity and potentially exposing pipeline secrets. Reported by JetBrains itself and carrying a CVSS 8.1, the flaw is a missing-authorization issue (CWE-862) rather than a memory-safety bug. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Teamcity
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-59795 MEDIUM PATCH This Month

Stored cross-site scripting in JetBrains TeamCity before 2026.1.2 lets an unauthenticated attacker persist malicious script through the agent registration flow, which then executes in the browser of any privileged user (e.g. an administrator) who later views the affected agent-management interface. Because agent registration requires no authentication, the entry barrier is minimal, and successful execution in an admin session can lead to session/token theft and pivoting to control of a CI/CD build server. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

XSS Teamcity
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-59794 MEDIUM PATCH This Month

Stored cross-site scripting in JetBrains TeamCity before 2026.1.2 lets an attacker who controls a build agent persist a malicious script into agent-reported data that executes when a privileged user opens the cloud profile page. Because it fires in the browser session of an operator with access to CI/CD configuration, it can lead to session/token theft and actions performed as the victim. The issue was reported by JetBrains itself; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-59793 HIGH PATCH This Week

Arbitrary file access in JetBrains TeamCity before 2026.1.2 lets an authenticated user abuse the Perforce (P4) VCS integration to read files outside intended boundaries on the TeamCity server host. The flaw (CWE-73, external control of file name or path) was self-reported by JetBrains and is fixed in 2026.1.2; no public exploit identified at time of analysis, and it is not listed in CISA KEV. With PR:L in the CVSS vector, exploitation requires a low-privilege account that can define or influence a Perforce VCS root, making it a realistic post-authentication threat on shared CI servers.

Information Disclosure Teamcity
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-49381 LOW PATCH Monitor

Stored cross-site scripting in JetBrains TeamCity's SAML login page allows a high-privileged attacker to inject persistent malicious scripts that execute in victims' browsers upon visiting the login page. All TeamCity versions prior to 2026.1 are affected. The changed scope (S:C) in the CVSS vector indicates the injected payload can affect browser sessions beyond the immediate component, though confidentiality impact is rated low and no integrity or availability loss is assessed. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Teamcity
NVD VulDB
CVSS 3.1
3.4
EPSS
0.0%
CVE-2026-49379 MEDIUM PATCH This Month

Credential exposure in JetBrains TeamCity before version 2026.1 allows authenticated remote attackers to retrieve sensitive secrets via JVM thread name inspection. The root cause (CWE-522 - Insufficiently Protected Credentials) is TeamCity embedding credential values directly into thread names, which surfaces in thread dumps, monitoring interfaces, and diagnostic tooling accessible to low-privileged users. No public exploit code has been identified and this vulnerability is absent from the CISA KEV catalog, but the high confidentiality impact (CVSS C:H) makes it a significant credential theft vector in enterprise CI/CD environments where TeamCity routinely holds access tokens to source repositories, cloud infrastructure, and deployment targets.

Information Disclosure Teamcity
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-49378 MEDIUM PATCH This Month

Credential parameter exposure in JetBrains TeamCity before version 2026.1 allows authenticated low-privilege users to access sensitive credential values through the parameter autocompletion feature. Rooted in CWE-862 (Missing Authorization), the autocompletion endpoint fails to enforce proper access controls before surfacing credential parameters, potentially leaking secrets such as passwords, tokens, or API keys stored in build configurations. No public exploit code exists and this vulnerability is not listed in CISA KEV, but the low attack complexity and network accessibility make it a meaningful lateral movement or privilege escalation risk in multi-tenant CI/CD environments.

Authentication Bypass Teamcity
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49377 MEDIUM PATCH This Month

Sensitive data exposure in JetBrains TeamCity before 2025.11.2 allows authenticated low-privileged users to read confidential values stored in default build agent parameters. The root cause (CWE-526) indicates that sensitive information - such as API keys, tokens, or credentials - is passed or stored through agent environment/configuration parameters without adequate access restrictions. With a CVSS score of 4.3 and no public exploit or KEV listing, this represents a moderate-priority information disclosure risk, most dangerous in environments where agent parameters are used to propagate secrets across pipelines.

Information Disclosure Teamcity
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49376 MEDIUM PATCH This Month

Insufficient username validation in the SAML plugin of JetBrains TeamCity before 2026.1 allows unauthenticated remote attackers to bypass authentication controls and gain unauthorized access to CI/CD resources. The flaw (CWE-863, Incorrect Authorization) permits manipulation of the username field within SAML assertions, potentially enabling impersonation of legitimate users and unauthorized read/write access to build configurations and pipeline data. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Authentication Bypass Teamcity
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-49375 MEDIUM PATCH This Month

Reflected cross-site scripting on the TeamCity repository download page allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a crafted URL. The Changed scope (S:C) in the CVSS vector indicates the payload can escape the vulnerable component and affect the victim's broader browser session, enabling session token theft, credential harvesting, or malicious redirects against TeamCity users. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

XSS Teamcity
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-49374 HIGH PATCH This Week

Information disclosure in JetBrains TeamCity prior to version 2026.1 allows authenticated low-privilege users to read sensitive build configuration parameters they should not have access to due to missing authorization checks. The flaw carries a CVSS 7.6 score driven by high confidentiality impact on a network-reachable CI/CD server, though no public exploit identified at time of analysis. Because TeamCity build parameters frequently contain secrets such as deployment credentials, signing keys, and API tokens, the disclosure can cascade into broader compromise of downstream systems.

Authentication Bypass Teamcity
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-49373 HIGH PATCH This Week

Remote code execution in JetBrains TeamCity versions prior to 2026.1 is achievable by authenticated users who can configure Perforce connection settings on a build project. The flaw, classified as CWE-88 (argument injection), allows attackers with project configuration privileges to inject arguments through Perforce VCS root parameters, leading to command execution on the TeamCity server. No public exploit identified at time of analysis, and the EPSS/KEV signals were not provided in the source intelligence.

RCE Teamcity
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-49372 HIGH PATCH This Week

Server-side request forgery in JetBrains TeamCity versions prior to 2026.1 and 2025.11.5 allows remote unauthenticated attackers to coerce the build server into issuing arbitrary outbound HTTP requests through the build status functionality. The CVSS 7.5 score (C:H/I:N/A:N) reflects high-impact disclosure of internal data without integrity or availability effects, and no public exploit is identified at time of analysis.

SSRF Teamcity
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-49371 HIGH PATCH This Week

Reflected cross-site scripting in JetBrains TeamCity before version 2026.1.1 allows remote attackers to execute arbitrary JavaScript in a victim's browser session by tricking them into clicking a crafted URL targeting the keyword filter parameter. The flaw was reported by JetBrains and carries a CVSS 7.1 due to the high confidentiality impact possible against authenticated CI/CD users; no public exploit identified at time of analysis.

XSS Teamcity
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-44413 HIGH PATCH This Week

Authentication bypass in JetBrains TeamCity allows remote unauthenticated attackers to gain unauthorized access to server APIs. Despite the CVE description stating 'authenticated users could expose server API,' the CVSS vector (PR:N) confirms no authentication is required for exploitation, enabling direct unauthorized API access with high confidentiality impact and limited integrity impact. JetBrains has released patches in versions 2026.1 and 2025.11.5. EPSS and KEV status not available at time of analysis.

Authentication Bypass Teamcity
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-28196 LOW Monitor

In JetBrains TeamCity before 2025.11.3 disabling versioned settings left a credentials config on disk [CVSS 2.3 LOW]

Information Disclosure Teamcity
NVD
CVSS 3.1
2.3
EPSS
0.0%
CVE-2026-28195 MEDIUM This Month

Insufficient authorization checks in JetBrains TeamCity before version 2025.11.3 permit project developers to modify build configuration parameters without proper access controls. An authenticated attacker with developer privileges could inject malicious parameters into build configurations, potentially altering build behavior or exposing sensitive information. No patch is currently available for this vulnerability.

Authentication Bypass Teamcity
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-28194 MEDIUM This Month

Teamcity versions up to 2025.11.3 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).

React Open Redirect Teamcity
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-59457 HIGH This Month

In JetBrains TeamCity before 2025.07.2 missing Git URL validation allowed credential leakage on Windows. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Teamcity Windows
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2025-59456 MEDIUM This Month

In JetBrains TeamCity before 2025.07.2 path traversal was possible during project archive upload. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Teamcity
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-59455 MEDIUM Monitor

In JetBrains TeamCity before 2025.07.2 project isolation bypass was possible due to race condition. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Race Condition Teamcity
NVD
CVSS 3.1
4.2
EPSS
0.0%
CVE-2025-57734 MEDIUM Monitor

In JetBrains TeamCity before 2025.07.1 aWS credentials were exposed in Docker script files. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Docker Information Disclosure Teamcity
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-57733 MEDIUM This Month

In JetBrains TeamCity before 2025.07.1 sMTP injection was possible allowing modification of email content. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Teamcity
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-57732 HIGH This Month

In JetBrains TeamCity before 2025.07.1 privilege escalation was possible due to incorrect directory ownership. Rated high severity (CVSS 7.5). No vendor patch available.

Privilege Escalation Teamcity
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-52879 MEDIUM PATCH This Month

In JetBrains TeamCity before 2025.03.3 reflected XSS in the NPM Registry integration was possible

XSS Node.js Teamcity
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-52878 MEDIUM PATCH This Month

In JetBrains TeamCity before 2025.03.3 usernames were exposed to the users without proper permissions

Authentication Bypass Teamcity
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-52877 MEDIUM PATCH This Month

In JetBrains TeamCity before 2025.03.3 reflected XSS on diskUsageBuildsStats page was possible

XSS Teamcity
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-52876 MEDIUM PATCH This Month

In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2025-52875 MEDIUM PATCH This Month

In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2025-47854 MEDIUM Monitor

In JetBrains TeamCity before 2025.03.2 open redirect was possible on editing VCS Root page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Teamcity
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-47853 MEDIUM Monitor

In JetBrains TeamCity before 2025.03.2 stored XSS via Jira integration was possible. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Atlassian XSS Teamcity
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-47852 MEDIUM Monitor

In JetBrains TeamCity before 2025.03.2 stored XSS via YouTrack integration was possible. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-47851 MEDIUM Monitor

In JetBrains TeamCity before 2025.03.2 stored XSS via GitHub Checks Webhook was possible. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-46618 LOW Monitor

In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
3.5
EPSS
0.1%
CVE-2025-46433 MEDIUM This Month

In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-46432 MEDIUM This Month

In JetBrains TeamCity before 2025.03.1 base64-encoded credentials could be exposed in build logs. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-31141 LOW Monitor

In JetBrains TeamCity before 2025.03 exception could lead to credential leakage on Cloud Profiles page. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2025-31140 MEDIUM This Month

In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
4.6
EPSS
0.6%
CVE-2025-31139 MEDIUM This Month

In JetBrains TeamCity before 2025.03 base64 encoded password could be exposed in build log. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-26493 MEDIUM This Month

In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 15.7% and no vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
4.6
EPSS
15.7%
CVE-2025-26492 HIGH This Week

In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Kubernetes Teamcity
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2025-24461 MEDIUM This Month

In JetBrains TeamCity before 2024.12.1 decryption of connection secrets without proper permissions was possible via Test Connection endpoint. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-24460 MEDIUM Monitor

In JetBrains TeamCity before 2024.12.1 improper access control allowed to see Projects’ names in the agent pool. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-24459 MEDIUM Monitor

In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 19.9% and no vendor patch available.

Hashicorp XSS Teamcity
NVD
CVSS 3.1
4.6
EPSS
19.9%
CVE-2024-56356 HIGH This Week

In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Teamcity
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-56355 MEDIUM This Month

In JetBrains TeamCity before 2024.12 missing Content-Type header in RemoteBuildLogController response could lead to XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2024-56354 MEDIUM This Month

In JetBrains TeamCity before 2024.12 password field value were accessible to users with view settings permission. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2024-56353 MEDIUM This Month

In JetBrains TeamCity before 2024.12 backup file exposed user credentials and session cookies. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-56352 MEDIUM This Month

In JetBrains TeamCity before 2024.12 stored XSS was possible via image name on the agent details page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2024-56351 HIGH This Week

In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2024-56350 MEDIUM This Month

In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-56349 MEDIUM This Month

In JetBrains TeamCity before 2024.12 improper access control allowed unauthorized users to modify build logs. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-56348 MEDIUM This Month

In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-47951 MEDIUM This Month

In JetBrains TeamCity before 2024.07.3 stored XSS was possible via server global settings. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
1.4%
CVE-2024-47950 MEDIUM This Month

In JetBrains TeamCity before 2024.07.3 stored XSS was possible in Backup configuration settings. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
1.4%
CVE-2024-47949 HIGH This Week

In JetBrains TeamCity before 2024.07.3 path traversal allowed backup file write to arbitrary location. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Teamcity
NVD
CVSS 3.1
7.5
EPSS
22.9%
CVE-2024-47948 HIGH This Week

In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible via server backups. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Information Disclosure Teamcity
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-47161 MEDIUM This Month

In JetBrains TeamCity before 2024.07.3 password could be exposed via Sonar runner REST API. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-43810 MEDIUM This Month

In JetBrains TeamCity before 2024.07.1 reflected XSS was possible in the AWS Core plugin. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-43809 MEDIUM This Month

In JetBrains TeamCity before 2024.07.1 reflected XSS was possible on the agentPushPreset page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-43808 MEDIUM This Month

In JetBrains TeamCity before 2024.07.1 self XSS was possible in the HashiCorp Vault plugin. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-43807 MEDIUM This Month

In JetBrains TeamCity before 2024.07.1 multiple stored XSS was possible on Clouds page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-43114 HIGH This Week

In JetBrains TeamCity before 2024.07.1 possible privilege escalation due to incorrect directory permissions. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Teamcity
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-41829 HIGH This Week

In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2024-41828 MEDIUM This Month

In JetBrains TeamCity before 2024.07 comparison of authorization tokens took non-constant time. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-41827 CRITICAL Act Now

In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-41826 MEDIUM This Month

In JetBrains TeamCity before 2024.07 stored XSS was possible on Show Connection page. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
4.8
EPSS
0.3%
CVE-2024-41825 MEDIUM This Month

In JetBrains TeamCity before 2024.07 stored XSS was possible on the Code Inspection tab. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-41824 MEDIUM This Month

In JetBrains TeamCity before 2024.07 parameters of the "password" type could leak into the build log in some specific cases. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-39879 MEDIUM This Month

In JetBrains TeamCity before 2024.03.3 application token could be exposed in EC2 Cloud Profile settings. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-39878 MEDIUM This Month

In JetBrains TeamCity before 2024.03.3 private key could be exposed via testing GitHub App Connection. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-36470 CRITICAL Act Now

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific edge cases. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-36378 HIGH This Week

In JetBrains TeamCity before 2024.03.2 server was susceptible to DoS attacks with incorrect auth tokens. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Teamcity
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-36377 HIGH This Week

In JetBrains TeamCity before 2024.03.2 certain TeamCity API endpoints did not check user permissions. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2024-36376 HIGH This Week

In JetBrains TeamCity before 2024.03.2 users could perform actions that should not be available to them based on their permissions. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2024-36375 MEDIUM This Month

In JetBrains TeamCity before 2024.03.2 technical information regarding TeamCity server could be exposed. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-36374 MEDIUM This Month

In JetBrains TeamCity before 2024.03.2 stored XSS via build step settings was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-36373 MEDIUM This Month

In JetBrains TeamCity before 2024.03.2 several stored XSS in untrusted builds settings were possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-36372 MEDIUM This Month

In JetBrains TeamCity before 2023.05.6 reflected XSS on the subscriptions page was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-36371 MEDIUM This Month

In JetBrains TeamCity before 2023.05.6, 2023.11.5 stored XSS in Commit status publisher was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-36370 MEDIUM This Month

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via OAuth connection settings was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-36369 MEDIUM This Month

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via issue tracker integration was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-36368 MEDIUM This Month

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 reflected XSS via OAuth provider configuration was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-36367 MEDIUM This Month

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via third-party reports was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-36366 MEDIUM This Month

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 an XSS could be executed via certain report grouping and filtering operations. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-36365 HIGH This Week

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 a third-party agent could impersonate a cloud agent. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2024-36364 MEDIUM This Month

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 improper access control in Pull Requests and Commit status publisher build features was possible. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-36363 MEDIUM This Month

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 several Stored XSS in code inspection reports were possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-36362 MEDIUM This Month

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 path traversal allowing to read files from server was possible. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Teamcity
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-35302 MEDIUM This Month

In JetBrains TeamCity before 2023.11 stored XSS during restore from backup was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
CVSS 3.1
6.1
EPSS
0.3%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Improper permission enforcement in JetBrains TeamCity before 2026.1.2 lets authenticated low-privilege users modify CI/CD pipelines they should not control, undermining build integrity and potentially exposing pipeline secrets. Reported by JetBrains itself and carrying a CVSS 8.1, the flaw is a missing-authorization issue (CWE-862) rather than a memory-safety bug. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Teamcity
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored cross-site scripting in JetBrains TeamCity before 2026.1.2 lets an unauthenticated attacker persist malicious script through the agent registration flow, which then executes in the browser of any privileged user (e.g. an administrator) who later views the affected agent-management interface. Because agent registration requires no authentication, the entry barrier is minimal, and successful execution in an admin session can lead to session/token theft and pivoting to control of a CI/CD build server. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

XSS Teamcity
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in JetBrains TeamCity before 2026.1.2 lets an attacker who controls a build agent persist a malicious script into agent-reported data that executes when a privileged user opens the cloud profile page. Because it fires in the browser session of an operator with access to CI/CD configuration, it can lead to session/token theft and actions performed as the victim. The issue was reported by JetBrains itself; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Teamcity
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary file access in JetBrains TeamCity before 2026.1.2 lets an authenticated user abuse the Perforce (P4) VCS integration to read files outside intended boundaries on the TeamCity server host. The flaw (CWE-73, external control of file name or path) was self-reported by JetBrains and is fixed in 2026.1.2; no public exploit identified at time of analysis, and it is not listed in CISA KEV. With PR:L in the CVSS vector, exploitation requires a low-privilege account that can define or influence a Perforce VCS root, making it a realistic post-authentication threat on shared CI servers.

Information Disclosure Teamcity
NVD
EPSS 0% CVSS 3.4
LOW PATCH Monitor

Stored cross-site scripting in JetBrains TeamCity's SAML login page allows a high-privileged attacker to inject persistent malicious scripts that execute in victims' browsers upon visiting the login page. All TeamCity versions prior to 2026.1 are affected. The changed scope (S:C) in the CVSS vector indicates the injected payload can affect browser sessions beyond the immediate component, though confidentiality impact is rated low and no integrity or availability loss is assessed. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Teamcity
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Credential exposure in JetBrains TeamCity before version 2026.1 allows authenticated remote attackers to retrieve sensitive secrets via JVM thread name inspection. The root cause (CWE-522 - Insufficiently Protected Credentials) is TeamCity embedding credential values directly into thread names, which surfaces in thread dumps, monitoring interfaces, and diagnostic tooling accessible to low-privileged users. No public exploit code has been identified and this vulnerability is absent from the CISA KEV catalog, but the high confidentiality impact (CVSS C:H) makes it a significant credential theft vector in enterprise CI/CD environments where TeamCity routinely holds access tokens to source repositories, cloud infrastructure, and deployment targets.

Information Disclosure Teamcity
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Credential parameter exposure in JetBrains TeamCity before version 2026.1 allows authenticated low-privilege users to access sensitive credential values through the parameter autocompletion feature. Rooted in CWE-862 (Missing Authorization), the autocompletion endpoint fails to enforce proper access controls before surfacing credential parameters, potentially leaking secrets such as passwords, tokens, or API keys stored in build configurations. No public exploit code exists and this vulnerability is not listed in CISA KEV, but the low attack complexity and network accessibility make it a meaningful lateral movement or privilege escalation risk in multi-tenant CI/CD environments.

Authentication Bypass Teamcity
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Sensitive data exposure in JetBrains TeamCity before 2025.11.2 allows authenticated low-privileged users to read confidential values stored in default build agent parameters. The root cause (CWE-526) indicates that sensitive information - such as API keys, tokens, or credentials - is passed or stored through agent environment/configuration parameters without adequate access restrictions. With a CVSS score of 4.3 and no public exploit or KEV listing, this represents a moderate-priority information disclosure risk, most dangerous in environments where agent parameters are used to propagate secrets across pipelines.

Information Disclosure Teamcity
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient username validation in the SAML plugin of JetBrains TeamCity before 2026.1 allows unauthenticated remote attackers to bypass authentication controls and gain unauthorized access to CI/CD resources. The flaw (CWE-863, Incorrect Authorization) permits manipulation of the username field within SAML assertions, potentially enabling impersonation of legitimate users and unauthorized read/write access to build configurations and pipeline data. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Authentication Bypass Teamcity
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected cross-site scripting on the TeamCity repository download page allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a crafted URL. The Changed scope (S:C) in the CVSS vector indicates the payload can escape the vulnerable component and affect the victim's broader browser session, enabling session token theft, credential harvesting, or malicious redirects against TeamCity users. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

XSS Teamcity
NVD VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Information disclosure in JetBrains TeamCity prior to version 2026.1 allows authenticated low-privilege users to read sensitive build configuration parameters they should not have access to due to missing authorization checks. The flaw carries a CVSS 7.6 score driven by high confidentiality impact on a network-reachable CI/CD server, though no public exploit identified at time of analysis. Because TeamCity build parameters frequently contain secrets such as deployment credentials, signing keys, and API tokens, the disclosure can cascade into broader compromise of downstream systems.

Authentication Bypass Teamcity
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Remote code execution in JetBrains TeamCity versions prior to 2026.1 is achievable by authenticated users who can configure Perforce connection settings on a build project. The flaw, classified as CWE-88 (argument injection), allows attackers with project configuration privileges to inject arguments through Perforce VCS root parameters, leading to command execution on the TeamCity server. No public exploit identified at time of analysis, and the EPSS/KEV signals were not provided in the source intelligence.

RCE Teamcity
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Server-side request forgery in JetBrains TeamCity versions prior to 2026.1 and 2025.11.5 allows remote unauthenticated attackers to coerce the build server into issuing arbitrary outbound HTTP requests through the build status functionality. The CVSS 7.5 score (C:H/I:N/A:N) reflects high-impact disclosure of internal data without integrity or availability effects, and no public exploit is identified at time of analysis.

SSRF Teamcity
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Reflected cross-site scripting in JetBrains TeamCity before version 2026.1.1 allows remote attackers to execute arbitrary JavaScript in a victim's browser session by tricking them into clicking a crafted URL targeting the keyword filter parameter. The flaw was reported by JetBrains and carries a CVSS 7.1 due to the high confidentiality impact possible against authenticated CI/CD users; no public exploit identified at time of analysis.

XSS Teamcity
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Authentication bypass in JetBrains TeamCity allows remote unauthenticated attackers to gain unauthorized access to server APIs. Despite the CVE description stating 'authenticated users could expose server API,' the CVSS vector (PR:N) confirms no authentication is required for exploitation, enabling direct unauthorized API access with high confidentiality impact and limited integrity impact. JetBrains has released patches in versions 2026.1 and 2025.11.5. EPSS and KEV status not available at time of analysis.

Authentication Bypass Teamcity
NVD VulDB
EPSS 0% CVSS 2.3
LOW Monitor

In JetBrains TeamCity before 2025.11.3 disabling versioned settings left a credentials config on disk [CVSS 2.3 LOW]

Information Disclosure Teamcity
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Insufficient authorization checks in JetBrains TeamCity before version 2025.11.3 permit project developers to modify build configuration parameters without proper access controls. An authenticated attacker with developer privileges could inject malicious parameters into build configurations, potentially altering build behavior or exposing sensitive information. No patch is currently available for this vulnerability.

Authentication Bypass Teamcity
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Teamcity versions up to 2025.11.3 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).

React Open Redirect Teamcity
NVD
EPSS 0% CVSS 7.7
HIGH This Month

In JetBrains TeamCity before 2025.07.2 missing Git URL validation allowed credential leakage on Windows. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Teamcity +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

In JetBrains TeamCity before 2025.07.2 path traversal was possible during project archive upload. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Teamcity
NVD
EPSS 0% CVSS 4.2
MEDIUM Monitor

In JetBrains TeamCity before 2025.07.2 project isolation bypass was possible due to race condition. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Race Condition Teamcity
NVD
EPSS 0% CVSS 4.3
MEDIUM Monitor

In JetBrains TeamCity before 2025.07.1 aWS credentials were exposed in Docker script files. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Docker Information Disclosure Teamcity
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

In JetBrains TeamCity before 2025.07.1 sMTP injection was possible allowing modification of email content. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Teamcity
NVD
EPSS 0% CVSS 7.5
HIGH This Month

In JetBrains TeamCity before 2025.07.1 privilege escalation was possible due to incorrect directory ownership. Rated high severity (CVSS 7.5). No vendor patch available.

Privilege Escalation Teamcity
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

In JetBrains TeamCity before 2025.03.3 reflected XSS in the NPM Registry integration was possible

XSS Node.js Teamcity
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

In JetBrains TeamCity before 2025.03.3 usernames were exposed to the users without proper permissions

Authentication Bypass Teamcity
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

In JetBrains TeamCity before 2025.03.3 reflected XSS on diskUsageBuildsStats page was possible

XSS Teamcity
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible

XSS Teamcity
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible

XSS Teamcity
NVD
EPSS 0% CVSS 4.3
MEDIUM Monitor

In JetBrains TeamCity before 2025.03.2 open redirect was possible on editing VCS Root page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Teamcity
NVD
EPSS 0% CVSS 4.8
MEDIUM Monitor

In JetBrains TeamCity before 2025.03.2 stored XSS via Jira integration was possible. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Atlassian XSS Teamcity
NVD
EPSS 0% CVSS 4.8
MEDIUM Monitor

In JetBrains TeamCity before 2025.03.2 stored XSS via YouTrack integration was possible. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 4.8
MEDIUM Monitor

In JetBrains TeamCity before 2025.03.2 stored XSS via GitHub Checks Webhook was possible. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 3.5
LOW Monitor

In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

In JetBrains TeamCity before 2025.03.1 base64-encoded credentials could be exposed in build logs. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
EPSS 0% CVSS 2.7
LOW Monitor

In JetBrains TeamCity before 2025.03 exception could lead to credential leakage on Cloud Profiles page. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
EPSS 1% CVSS 4.6
MEDIUM This Month

In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

In JetBrains TeamCity before 2025.03 base64 encoded password could be exposed in build log. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
EPSS 16% CVSS 4.6
MEDIUM This Month

In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 15.7% and no vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 7.7
HIGH This Week

In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Kubernetes Teamcity
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

In JetBrains TeamCity before 2024.12.1 decryption of connection secrets without proper permissions was possible via Test Connection endpoint. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
EPSS 0% CVSS 4.3
MEDIUM Monitor

In JetBrains TeamCity before 2024.12.1 improper access control allowed to see Projects’ names in the agent pool. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
EPSS 20% CVSS 4.6
MEDIUM Monitor

In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 19.9% and no vendor patch available.

Hashicorp XSS Teamcity
NVD
EPSS 0% CVSS 7.1
HIGH This Week

In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Teamcity
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

In JetBrains TeamCity before 2024.12 missing Content-Type header in RemoteBuildLogController response could lead to XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

In JetBrains TeamCity before 2024.12 password field value were accessible to users with view settings permission. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

In JetBrains TeamCity before 2024.12 backup file exposed user credentials and session cookies. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

In JetBrains TeamCity before 2024.12 stored XSS was possible via image name on the agent details page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 8.8
HIGH This Week

In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

In JetBrains TeamCity before 2024.12 improper access control allowed unauthorized users to modify build logs. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

In JetBrains TeamCity before 2024.07.3 stored XSS was possible via server global settings. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

In JetBrains TeamCity before 2024.07.3 stored XSS was possible in Backup configuration settings. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 23% CVSS 7.5
HIGH This Week

In JetBrains TeamCity before 2024.07.3 path traversal allowed backup file write to arbitrary location. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Teamcity
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible via server backups. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Information Disclosure Teamcity
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

In JetBrains TeamCity before 2024.07.3 password could be exposed via Sonar runner REST API. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains TeamCity before 2024.07.1 reflected XSS was possible in the AWS Core plugin. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

In JetBrains TeamCity before 2024.07.1 reflected XSS was possible on the agentPushPreset page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains TeamCity before 2024.07.1 self XSS was possible in the HashiCorp Vault plugin. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp XSS Teamcity
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains TeamCity before 2024.07.1 multiple stored XSS was possible on Clouds page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In JetBrains TeamCity before 2024.07.1 possible privilege escalation due to incorrect directory permissions. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Teamcity
NVD
EPSS 0% CVSS 7.5
HIGH This Week

In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

In JetBrains TeamCity before 2024.07 comparison of authorization tokens took non-constant time. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

In JetBrains TeamCity before 2024.07 stored XSS was possible on Show Connection page. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains TeamCity before 2024.07 stored XSS was possible on the Code Inspection tab. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

In JetBrains TeamCity before 2024.07 parameters of the "password" type could leak into the build log in some specific cases. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

In JetBrains TeamCity before 2024.03.3 application token could be exposed in EC2 Cloud Profile settings. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

In JetBrains TeamCity before 2024.03.3 private key could be exposed via testing GitHub App Connection. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific edge cases. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
EPSS 0% CVSS 7.5
HIGH This Week

In JetBrains TeamCity before 2024.03.2 server was susceptible to DoS attacks with incorrect auth tokens. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Teamcity
NVD
EPSS 0% CVSS 8.1
HIGH This Week

In JetBrains TeamCity before 2024.03.2 certain TeamCity API endpoints did not check user permissions. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
EPSS 0% CVSS 8.1
HIGH This Week

In JetBrains TeamCity before 2024.03.2 users could perform actions that should not be available to them based on their permissions. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

In JetBrains TeamCity before 2024.03.2 technical information regarding TeamCity server could be exposed. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains TeamCity before 2024.03.2 stored XSS via build step settings was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains TeamCity before 2024.03.2 several stored XSS in untrusted builds settings were possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

In JetBrains TeamCity before 2023.05.6 reflected XSS on the subscriptions page was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains TeamCity before 2023.05.6, 2023.11.5 stored XSS in Commit status publisher was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via OAuth connection settings was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via issue tracker integration was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 reflected XSS via OAuth provider configuration was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via third-party reports was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 an XSS could be executed via certain report grouping and filtering operations. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 0% CVSS 8.1
HIGH This Week

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 a third-party agent could impersonate a cloud agent. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 improper access control in Pull Requests and Commit status publisher build features was possible. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Teamcity
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 several Stored XSS in code inspection reports were possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 path traversal allowing to read files from server was possible. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Teamcity
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

In JetBrains TeamCity before 2023.11 stored XSS during restore from backup was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Teamcity
NVD
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy