CVE-2026-59795

JetBrains · TeamCity

JetBrains TeamCity is vulnerable to Cross-Site Scripting (CWE-79), potentially allowing an attacker to execute arbitrary scripts in a user's browser.

Executive summary

A Cross-Site Scripting vulnerability in JetBrains TeamCity could allow unauthorized script execution, posing a significant risk to user session integrity.

Vulnerability

This vulnerability is a Cross-Site Scripting (XSS) flaw. The attack vector is network-based and requires user interaction, where an attacker could trick a user into executing malicious JavaScript within the context of the TeamCity interface.

Business impact

The exploitation of this vulnerability could lead to session hijacking, unauthorized actions performed on behalf of a logged-in user, or the exfiltration of sensitive information. Given the CVSS score of 8.1, the high impact on confidentiality and integrity necessitates immediate attention to prevent potential compromise of build pipelines and administrative accounts.

Remediation

Immediate Action: Upgrade JetBrains TeamCity to version 2026.1.2 or later as specified in the vendor security advisory.

Proactive Monitoring: Monitor application logs for unusual request patterns, particularly those involving script tags or unexpected URL parameters.

Compensating Controls: Implement a strict Content Security Policy (CSP) and utilize a Web Application Firewall (WAF) to filter malicious payloads from incoming web traffic.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Organizations utilizing JetBrains TeamCity must prioritize patching to version 2026.1.2. Failure to remediate this issue exposes the CI/CD environment to significant risk of manipulation and data theft.