Teamcity
Monthly
Improper permission enforcement in JetBrains TeamCity before 2026.1.2 lets authenticated low-privilege users modify CI/CD pipelines they should not control, undermining build integrity and potentially exposing pipeline secrets. Reported by JetBrains itself and carrying a CVSS 8.1, the flaw is a missing-authorization issue (CWE-862) rather than a memory-safety bug. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Stored cross-site scripting in JetBrains TeamCity before 2026.1.2 lets an unauthenticated attacker persist malicious script through the agent registration flow, which then executes in the browser of any privileged user (e.g. an administrator) who later views the affected agent-management interface. Because agent registration requires no authentication, the entry barrier is minimal, and successful execution in an admin session can lead to session/token theft and pivoting to control of a CI/CD build server. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.
Stored cross-site scripting in JetBrains TeamCity before 2026.1.2 lets an attacker who controls a build agent persist a malicious script into agent-reported data that executes when a privileged user opens the cloud profile page. Because it fires in the browser session of an operator with access to CI/CD configuration, it can lead to session/token theft and actions performed as the victim. The issue was reported by JetBrains itself; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Arbitrary file access in JetBrains TeamCity before 2026.1.2 lets an authenticated user abuse the Perforce (P4) VCS integration to read files outside intended boundaries on the TeamCity server host. The flaw (CWE-73, external control of file name or path) was self-reported by JetBrains and is fixed in 2026.1.2; no public exploit identified at time of analysis, and it is not listed in CISA KEV. With PR:L in the CVSS vector, exploitation requires a low-privilege account that can define or influence a Perforce VCS root, making it a realistic post-authentication threat on shared CI servers.
Stored cross-site scripting in JetBrains TeamCity's SAML login page allows a high-privileged attacker to inject persistent malicious scripts that execute in victims' browsers upon visiting the login page. All TeamCity versions prior to 2026.1 are affected. The changed scope (S:C) in the CVSS vector indicates the injected payload can affect browser sessions beyond the immediate component, though confidentiality impact is rated low and no integrity or availability loss is assessed. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Credential exposure in JetBrains TeamCity before version 2026.1 allows authenticated remote attackers to retrieve sensitive secrets via JVM thread name inspection. The root cause (CWE-522 - Insufficiently Protected Credentials) is TeamCity embedding credential values directly into thread names, which surfaces in thread dumps, monitoring interfaces, and diagnostic tooling accessible to low-privileged users. No public exploit code has been identified and this vulnerability is absent from the CISA KEV catalog, but the high confidentiality impact (CVSS C:H) makes it a significant credential theft vector in enterprise CI/CD environments where TeamCity routinely holds access tokens to source repositories, cloud infrastructure, and deployment targets.
Credential parameter exposure in JetBrains TeamCity before version 2026.1 allows authenticated low-privilege users to access sensitive credential values through the parameter autocompletion feature. Rooted in CWE-862 (Missing Authorization), the autocompletion endpoint fails to enforce proper access controls before surfacing credential parameters, potentially leaking secrets such as passwords, tokens, or API keys stored in build configurations. No public exploit code exists and this vulnerability is not listed in CISA KEV, but the low attack complexity and network accessibility make it a meaningful lateral movement or privilege escalation risk in multi-tenant CI/CD environments.
Sensitive data exposure in JetBrains TeamCity before 2025.11.2 allows authenticated low-privileged users to read confidential values stored in default build agent parameters. The root cause (CWE-526) indicates that sensitive information - such as API keys, tokens, or credentials - is passed or stored through agent environment/configuration parameters without adequate access restrictions. With a CVSS score of 4.3 and no public exploit or KEV listing, this represents a moderate-priority information disclosure risk, most dangerous in environments where agent parameters are used to propagate secrets across pipelines.
Insufficient username validation in the SAML plugin of JetBrains TeamCity before 2026.1 allows unauthenticated remote attackers to bypass authentication controls and gain unauthorized access to CI/CD resources. The flaw (CWE-863, Incorrect Authorization) permits manipulation of the username field within SAML assertions, potentially enabling impersonation of legitimate users and unauthorized read/write access to build configurations and pipeline data. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Reflected cross-site scripting on the TeamCity repository download page allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a crafted URL. The Changed scope (S:C) in the CVSS vector indicates the payload can escape the vulnerable component and affect the victim's broader browser session, enabling session token theft, credential harvesting, or malicious redirects against TeamCity users. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Information disclosure in JetBrains TeamCity prior to version 2026.1 allows authenticated low-privilege users to read sensitive build configuration parameters they should not have access to due to missing authorization checks. The flaw carries a CVSS 7.6 score driven by high confidentiality impact on a network-reachable CI/CD server, though no public exploit identified at time of analysis. Because TeamCity build parameters frequently contain secrets such as deployment credentials, signing keys, and API tokens, the disclosure can cascade into broader compromise of downstream systems.
Remote code execution in JetBrains TeamCity versions prior to 2026.1 is achievable by authenticated users who can configure Perforce connection settings on a build project. The flaw, classified as CWE-88 (argument injection), allows attackers with project configuration privileges to inject arguments through Perforce VCS root parameters, leading to command execution on the TeamCity server. No public exploit identified at time of analysis, and the EPSS/KEV signals were not provided in the source intelligence.
Server-side request forgery in JetBrains TeamCity versions prior to 2026.1 and 2025.11.5 allows remote unauthenticated attackers to coerce the build server into issuing arbitrary outbound HTTP requests through the build status functionality. The CVSS 7.5 score (C:H/I:N/A:N) reflects high-impact disclosure of internal data without integrity or availability effects, and no public exploit is identified at time of analysis.
Reflected cross-site scripting in JetBrains TeamCity before version 2026.1.1 allows remote attackers to execute arbitrary JavaScript in a victim's browser session by tricking them into clicking a crafted URL targeting the keyword filter parameter. The flaw was reported by JetBrains and carries a CVSS 7.1 due to the high confidentiality impact possible against authenticated CI/CD users; no public exploit identified at time of analysis.
Authentication bypass in JetBrains TeamCity allows remote unauthenticated attackers to gain unauthorized access to server APIs. Despite the CVE description stating 'authenticated users could expose server API,' the CVSS vector (PR:N) confirms no authentication is required for exploitation, enabling direct unauthorized API access with high confidentiality impact and limited integrity impact. JetBrains has released patches in versions 2026.1 and 2025.11.5. EPSS and KEV status not available at time of analysis.
In JetBrains TeamCity before 2025.11.3 disabling versioned settings left a credentials config on disk [CVSS 2.3 LOW]
Insufficient authorization checks in JetBrains TeamCity before version 2025.11.3 permit project developers to modify build configuration parameters without proper access controls. An authenticated attacker with developer privileges could inject malicious parameters into build configurations, potentially altering build behavior or exposing sensitive information. No patch is currently available for this vulnerability.
Teamcity versions up to 2025.11.3 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).
In JetBrains TeamCity before 2025.07.2 missing Git URL validation allowed credential leakage on Windows. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.07.2 path traversal was possible during project archive upload. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.07.2 project isolation bypass was possible due to race condition. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable. No vendor patch available.
In JetBrains TeamCity before 2025.07.1 aWS credentials were exposed in Docker script files. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.07.1 sMTP injection was possible allowing modification of email content. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.07.1 privilege escalation was possible due to incorrect directory ownership. Rated high severity (CVSS 7.5). No vendor patch available.
In JetBrains TeamCity before 2025.03.3 reflected XSS in the NPM Registry integration was possible
In JetBrains TeamCity before 2025.03.3 usernames were exposed to the users without proper permissions
In JetBrains TeamCity before 2025.03.3 reflected XSS on diskUsageBuildsStats page was possible
In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible
In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible
In JetBrains TeamCity before 2025.03.2 open redirect was possible on editing VCS Root page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.03.2 stored XSS via Jira integration was possible. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.03.2 stored XSS via YouTrack integration was possible. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.03.2 stored XSS via GitHub Checks Webhook was possible. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.03.1 base64-encoded credentials could be exposed in build logs. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.03 exception could lead to credential leakage on Cloud Profiles page. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.03 base64 encoded password could be exposed in build log. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 15.7% and no vendor patch available.
In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable. No vendor patch available.
In JetBrains TeamCity before 2024.12.1 decryption of connection secrets without proper permissions was possible via Test Connection endpoint. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12.1 improper access control allowed to see Projects’ names in the agent pool. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 19.9% and no vendor patch available.
In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12 missing Content-Type header in RemoteBuildLogController response could lead to XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12 password field value were accessible to users with view settings permission. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12 backup file exposed user credentials and session cookies. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12 stored XSS was possible via image name on the agent details page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12 improper access control allowed unauthorized users to modify build logs. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.3 stored XSS was possible via server global settings. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.3 stored XSS was possible in Backup configuration settings. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.3 path traversal allowed backup file write to arbitrary location. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible via server backups. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.3 password could be exposed via Sonar runner REST API. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.1 reflected XSS was possible in the AWS Core plugin. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.1 reflected XSS was possible on the agentPushPreset page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.1 self XSS was possible in the HashiCorp Vault plugin. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.1 multiple stored XSS was possible on Clouds page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.1 possible privilege escalation due to incorrect directory permissions. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07 comparison of authorization tokens took non-constant time. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07 stored XSS was possible on Show Connection page. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07 stored XSS was possible on the Code Inspection tab. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07 parameters of the "password" type could leak into the build log in some specific cases. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03.3 application token could be exposed in EC2 Cloud Profile settings. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03.3 private key could be exposed via testing GitHub App Connection. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific edge cases. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03.2 server was susceptible to DoS attacks with incorrect auth tokens. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03.2 certain TeamCity API endpoints did not check user permissions. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03.2 users could perform actions that should not be available to them based on their permissions. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03.2 technical information regarding TeamCity server could be exposed. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03.2 stored XSS via build step settings was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03.2 several stored XSS in untrusted builds settings were possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.6 reflected XSS on the subscriptions page was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.6, 2023.11.5 stored XSS in Commit status publisher was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via OAuth connection settings was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via issue tracker integration was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 reflected XSS via OAuth provider configuration was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via third-party reports was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 an XSS could be executed via certain report grouping and filtering operations. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 a third-party agent could impersonate a cloud agent. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 improper access control in Pull Requests and Commit status publisher build features was possible. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 several Stored XSS in code inspection reports were possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 path traversal allowing to read files from server was possible. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.11 stored XSS during restore from backup was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper permission enforcement in JetBrains TeamCity before 2026.1.2 lets authenticated low-privilege users modify CI/CD pipelines they should not control, undermining build integrity and potentially exposing pipeline secrets. Reported by JetBrains itself and carrying a CVSS 8.1, the flaw is a missing-authorization issue (CWE-862) rather than a memory-safety bug. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Stored cross-site scripting in JetBrains TeamCity before 2026.1.2 lets an unauthenticated attacker persist malicious script through the agent registration flow, which then executes in the browser of any privileged user (e.g. an administrator) who later views the affected agent-management interface. Because agent registration requires no authentication, the entry barrier is minimal, and successful execution in an admin session can lead to session/token theft and pivoting to control of a CI/CD build server. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.
Stored cross-site scripting in JetBrains TeamCity before 2026.1.2 lets an attacker who controls a build agent persist a malicious script into agent-reported data that executes when a privileged user opens the cloud profile page. Because it fires in the browser session of an operator with access to CI/CD configuration, it can lead to session/token theft and actions performed as the victim. The issue was reported by JetBrains itself; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Arbitrary file access in JetBrains TeamCity before 2026.1.2 lets an authenticated user abuse the Perforce (P4) VCS integration to read files outside intended boundaries on the TeamCity server host. The flaw (CWE-73, external control of file name or path) was self-reported by JetBrains and is fixed in 2026.1.2; no public exploit identified at time of analysis, and it is not listed in CISA KEV. With PR:L in the CVSS vector, exploitation requires a low-privilege account that can define or influence a Perforce VCS root, making it a realistic post-authentication threat on shared CI servers.
Stored cross-site scripting in JetBrains TeamCity's SAML login page allows a high-privileged attacker to inject persistent malicious scripts that execute in victims' browsers upon visiting the login page. All TeamCity versions prior to 2026.1 are affected. The changed scope (S:C) in the CVSS vector indicates the injected payload can affect browser sessions beyond the immediate component, though confidentiality impact is rated low and no integrity or availability loss is assessed. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Credential exposure in JetBrains TeamCity before version 2026.1 allows authenticated remote attackers to retrieve sensitive secrets via JVM thread name inspection. The root cause (CWE-522 - Insufficiently Protected Credentials) is TeamCity embedding credential values directly into thread names, which surfaces in thread dumps, monitoring interfaces, and diagnostic tooling accessible to low-privileged users. No public exploit code has been identified and this vulnerability is absent from the CISA KEV catalog, but the high confidentiality impact (CVSS C:H) makes it a significant credential theft vector in enterprise CI/CD environments where TeamCity routinely holds access tokens to source repositories, cloud infrastructure, and deployment targets.
Credential parameter exposure in JetBrains TeamCity before version 2026.1 allows authenticated low-privilege users to access sensitive credential values through the parameter autocompletion feature. Rooted in CWE-862 (Missing Authorization), the autocompletion endpoint fails to enforce proper access controls before surfacing credential parameters, potentially leaking secrets such as passwords, tokens, or API keys stored in build configurations. No public exploit code exists and this vulnerability is not listed in CISA KEV, but the low attack complexity and network accessibility make it a meaningful lateral movement or privilege escalation risk in multi-tenant CI/CD environments.
Sensitive data exposure in JetBrains TeamCity before 2025.11.2 allows authenticated low-privileged users to read confidential values stored in default build agent parameters. The root cause (CWE-526) indicates that sensitive information - such as API keys, tokens, or credentials - is passed or stored through agent environment/configuration parameters without adequate access restrictions. With a CVSS score of 4.3 and no public exploit or KEV listing, this represents a moderate-priority information disclosure risk, most dangerous in environments where agent parameters are used to propagate secrets across pipelines.
Insufficient username validation in the SAML plugin of JetBrains TeamCity before 2026.1 allows unauthenticated remote attackers to bypass authentication controls and gain unauthorized access to CI/CD resources. The flaw (CWE-863, Incorrect Authorization) permits manipulation of the username field within SAML assertions, potentially enabling impersonation of legitimate users and unauthorized read/write access to build configurations and pipeline data. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Reflected cross-site scripting on the TeamCity repository download page allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a crafted URL. The Changed scope (S:C) in the CVSS vector indicates the payload can escape the vulnerable component and affect the victim's broader browser session, enabling session token theft, credential harvesting, or malicious redirects against TeamCity users. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Information disclosure in JetBrains TeamCity prior to version 2026.1 allows authenticated low-privilege users to read sensitive build configuration parameters they should not have access to due to missing authorization checks. The flaw carries a CVSS 7.6 score driven by high confidentiality impact on a network-reachable CI/CD server, though no public exploit identified at time of analysis. Because TeamCity build parameters frequently contain secrets such as deployment credentials, signing keys, and API tokens, the disclosure can cascade into broader compromise of downstream systems.
Remote code execution in JetBrains TeamCity versions prior to 2026.1 is achievable by authenticated users who can configure Perforce connection settings on a build project. The flaw, classified as CWE-88 (argument injection), allows attackers with project configuration privileges to inject arguments through Perforce VCS root parameters, leading to command execution on the TeamCity server. No public exploit identified at time of analysis, and the EPSS/KEV signals were not provided in the source intelligence.
Server-side request forgery in JetBrains TeamCity versions prior to 2026.1 and 2025.11.5 allows remote unauthenticated attackers to coerce the build server into issuing arbitrary outbound HTTP requests through the build status functionality. The CVSS 7.5 score (C:H/I:N/A:N) reflects high-impact disclosure of internal data without integrity or availability effects, and no public exploit is identified at time of analysis.
Reflected cross-site scripting in JetBrains TeamCity before version 2026.1.1 allows remote attackers to execute arbitrary JavaScript in a victim's browser session by tricking them into clicking a crafted URL targeting the keyword filter parameter. The flaw was reported by JetBrains and carries a CVSS 7.1 due to the high confidentiality impact possible against authenticated CI/CD users; no public exploit identified at time of analysis.
Authentication bypass in JetBrains TeamCity allows remote unauthenticated attackers to gain unauthorized access to server APIs. Despite the CVE description stating 'authenticated users could expose server API,' the CVSS vector (PR:N) confirms no authentication is required for exploitation, enabling direct unauthorized API access with high confidentiality impact and limited integrity impact. JetBrains has released patches in versions 2026.1 and 2025.11.5. EPSS and KEV status not available at time of analysis.
In JetBrains TeamCity before 2025.11.3 disabling versioned settings left a credentials config on disk [CVSS 2.3 LOW]
Insufficient authorization checks in JetBrains TeamCity before version 2025.11.3 permit project developers to modify build configuration parameters without proper access controls. An authenticated attacker with developer privileges could inject malicious parameters into build configurations, potentially altering build behavior or exposing sensitive information. No patch is currently available for this vulnerability.
Teamcity versions up to 2025.11.3 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).
In JetBrains TeamCity before 2025.07.2 missing Git URL validation allowed credential leakage on Windows. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.07.2 path traversal was possible during project archive upload. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.07.2 project isolation bypass was possible due to race condition. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable. No vendor patch available.
In JetBrains TeamCity before 2025.07.1 aWS credentials were exposed in Docker script files. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.07.1 sMTP injection was possible allowing modification of email content. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.07.1 privilege escalation was possible due to incorrect directory ownership. Rated high severity (CVSS 7.5). No vendor patch available.
In JetBrains TeamCity before 2025.03.3 reflected XSS in the NPM Registry integration was possible
In JetBrains TeamCity before 2025.03.3 usernames were exposed to the users without proper permissions
In JetBrains TeamCity before 2025.03.3 reflected XSS on diskUsageBuildsStats page was possible
In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible
In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible
In JetBrains TeamCity before 2025.03.2 open redirect was possible on editing VCS Root page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.03.2 stored XSS via Jira integration was possible. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.03.2 stored XSS via YouTrack integration was possible. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.03.2 stored XSS via GitHub Checks Webhook was possible. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.03.1 base64-encoded credentials could be exposed in build logs. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.03 exception could lead to credential leakage on Cloud Profiles page. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2025.03 base64 encoded password could be exposed in build log. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 15.7% and no vendor patch available.
In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable. No vendor patch available.
In JetBrains TeamCity before 2024.12.1 decryption of connection secrets without proper permissions was possible via Test Connection endpoint. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12.1 improper access control allowed to see Projects’ names in the agent pool. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 19.9% and no vendor patch available.
In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12 missing Content-Type header in RemoteBuildLogController response could lead to XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12 password field value were accessible to users with view settings permission. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12 backup file exposed user credentials and session cookies. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12 stored XSS was possible via image name on the agent details page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12 improper access control allowed unauthorized users to modify build logs. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.3 stored XSS was possible via server global settings. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.3 stored XSS was possible in Backup configuration settings. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.3 path traversal allowed backup file write to arbitrary location. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible via server backups. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.3 password could be exposed via Sonar runner REST API. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.1 reflected XSS was possible in the AWS Core plugin. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.1 reflected XSS was possible on the agentPushPreset page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.1 self XSS was possible in the HashiCorp Vault plugin. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.1 multiple stored XSS was possible on Clouds page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07.1 possible privilege escalation due to incorrect directory permissions. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07 comparison of authorization tokens took non-constant time. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07 stored XSS was possible on Show Connection page. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07 stored XSS was possible on the Code Inspection tab. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.07 parameters of the "password" type could leak into the build log in some specific cases. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03.3 application token could be exposed in EC2 Cloud Profile settings. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03.3 private key could be exposed via testing GitHub App Connection. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific edge cases. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03.2 server was susceptible to DoS attacks with incorrect auth tokens. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03.2 certain TeamCity API endpoints did not check user permissions. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03.2 users could perform actions that should not be available to them based on their permissions. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03.2 technical information regarding TeamCity server could be exposed. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03.2 stored XSS via build step settings was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2024.03.2 several stored XSS in untrusted builds settings were possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.6 reflected XSS on the subscriptions page was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.05.6, 2023.11.5 stored XSS in Commit status publisher was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via OAuth connection settings was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via issue tracker integration was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 reflected XSS via OAuth provider configuration was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via third-party reports was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 an XSS could be executed via certain report grouping and filtering operations. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 a third-party agent could impersonate a cloud agent. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 improper access control in Pull Requests and Commit status publisher build features was possible. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 several Stored XSS in code inspection reports were possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 path traversal allowing to read files from server was possible. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.11 stored XSS during restore from backup was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.