CVE-2026-59795
JetBrains · TeamCity
JetBrains TeamCity is vulnerable to Cross-Site Scripting (CWE-79), potentially allowing an attacker to execute arbitrary scripts in a user's browser.
Executive summary
A Cross-Site Scripting vulnerability in JetBrains TeamCity could allow unauthorized script execution, posing a significant risk to user session integrity.
Vulnerability
This vulnerability is a Cross-Site Scripting (XSS) flaw. The attack vector is network-based and requires user interaction, where an attacker could trick a user into executing malicious JavaScript within the context of the TeamCity interface.
Business impact
The exploitation of this vulnerability could lead to session hijacking, unauthorized actions performed on behalf of a logged-in user, or the exfiltration of sensitive information. Given the CVSS score of 8.1, the high impact on confidentiality and integrity necessitates immediate attention to prevent potential compromise of build pipelines and administrative accounts.
Remediation
Immediate Action: Upgrade JetBrains TeamCity to version 2026.1.2 or later as specified in the vendor security advisory.
Proactive Monitoring: Monitor application logs for unusual request patterns, particularly those involving script tags or unexpected URL parameters.
Compensating Controls: Implement a strict Content Security Policy (CSP) and utilize a Web Application Firewall (WAF) to filter malicious payloads from incoming web traffic.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Organizations utilizing JetBrains TeamCity must prioritize patching to version 2026.1.2. Failure to remediate this issue exposes the CI/CD environment to significant risk of manipulation and data theft.