CVE-2026-59794

JetBrains · TeamCity

JetBrains TeamCity contains a Cross-Site Scripting (XSS) vulnerability allowing authenticated users with low privileges to execute malicious scripts in the context of the application.

Executive summary

An authenticated Cross-Site Scripting (XSS) vulnerability in JetBrains TeamCity may allow unauthorized script execution within the application context.

Vulnerability

The application is susceptible to Cross-Site Scripting (CWE-79), which can be triggered by authenticated users with low privileges. This flaw allows for the injection of malicious client-side scripts that execute when viewed by other users, including administrators.

Business impact

With a CVSS score of 7.3 (High), this vulnerability poses a significant risk to organizational security. Successful exploitation could lead to session hijacking, unauthorized actions performed on behalf of legitimate users, and potential compromise of sensitive CI/CD pipeline configurations.

Remediation

Immediate Action: Upgrade to TeamCity version 2026.1.2 or later as specified by the vendor.

Proactive Monitoring: Review web server and application audit logs for unusual script injections or unexpected URL parameters associated with user profile updates or build configurations.

Compensating Controls: Deploy a Web Application Firewall (WAF) with robust XSS filtering rules to inspect and sanitize incoming HTTP requests, providing a layer of protection until the update can be deployed.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the High severity rating and the potential for lateral movement within the development environment, administrators should prioritize updating TeamCity instances. Patching is the only effective way to neutralize the underlying vulnerability in the application logic.