CVE-2026-59794
JetBrains · TeamCity
JetBrains TeamCity contains a Cross-Site Scripting (XSS) vulnerability allowing authenticated users with low privileges to execute malicious scripts in the context of the application.
Executive summary
An authenticated Cross-Site Scripting (XSS) vulnerability in JetBrains TeamCity may allow unauthorized script execution within the application context.
Vulnerability
The application is susceptible to Cross-Site Scripting (CWE-79), which can be triggered by authenticated users with low privileges. This flaw allows for the injection of malicious client-side scripts that execute when viewed by other users, including administrators.
Business impact
With a CVSS score of 7.3 (High), this vulnerability poses a significant risk to organizational security. Successful exploitation could lead to session hijacking, unauthorized actions performed on behalf of legitimate users, and potential compromise of sensitive CI/CD pipeline configurations.
Remediation
Immediate Action: Upgrade to TeamCity version 2026.1.2 or later as specified by the vendor.
Proactive Monitoring: Review web server and application audit logs for unusual script injections or unexpected URL parameters associated with user profile updates or build configurations.
Compensating Controls: Deploy a Web Application Firewall (WAF) with robust XSS filtering rules to inspect and sanitize incoming HTTP requests, providing a layer of protection until the update can be deployed.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the High severity rating and the potential for lateral movement within the development environment, administrators should prioritize updating TeamCity instances. Patching is the only effective way to neutralize the underlying vulnerability in the application logic.