Description
In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible
Published: 2026-05-29
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows attackers to inject and execute arbitrary client‑side scripts when the keyword filter feature of JetBrains TeamCity processes user input, leading to captured session cookies, unauthorized actions, or defacement of the application page. The weakness is a classic reflected cross‑site scripting flaw described by CWE‑79.

Affected Systems

JetBrains TeamCity servers prior to version 2026.1.1 are affected; the vulnerability is present in all builds released before that update.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact; the EPSS score is not available and the issue is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is via the web interface by supplying crafted input into the keyword filter, which is then reflected back without proper sanitization.

Generated by OpenCVE AI on May 29, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetBrains TeamCity to version 2026.1.1 or newer to obtain the vendor fix.
  • If immediate upgrade is not possible, disable the keyword filter feature to prevent reflected input from reaching the browser.
  • Monitor web traffic for XSS attempts and apply web‑application firewall rules to block malicious payloads.

Generated by OpenCVE AI on May 29, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS in JetBrains TeamCity Keyword Filter
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains teamcity
Vendors & Products Jetbrains
Jetbrains teamcity

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

Jetbrains Teamcity
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-05-29T19:30:26.332Z

Reserved: 2026-05-29T18:07:54.884Z

Link: CVE-2026-49371

cve-icon Vulnrichment

Updated: 2026-05-29T19:30:21.822Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-29T19:16:26.913

Modified: 2026-05-29T20:11:15.977

Link: CVE-2026-49371

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T20:15:07Z

Weaknesses