JetBrains TeamCity, Stored Cross-Site Scripting (XSS), CVE-2026-59795 (HIGH) -DC-Jul2026-921

Listen to this Post

CVE-2026-59795 – Technical Deep Dive

CVE-2026-59795 is a stored cross-site scripting (XSS) vulnerability identified in JetBrains TeamCity, a popular continuous integration and continuous delivery (CI/CD) server. The flaw resides in the unauthenticated agent registration process, a core feature that allows build agents to connect to the TeamCity server.
The vulnerability arises from insufficient input validation and improper output encoding within the agent registration endpoint. When an unauthenticated agent attempts to register, it submits various parameters such as agent name, hostname, and description. The server accepts these parameters and stores them in its database or configuration files without adequately sanitizing or escaping potentially malicious JavaScript code.
An attacker can exploit this by crafting a malicious payload—for example, <script>alert('XSS')</script>—and injecting it into one of these fields during the registration request. Because the registration endpoint does not require authentication, this attack is accessible to any external party.
Once the payload is stored, it lies dormant until a user with appropriate privileges—such as an administrator—views the Agent list or details page in their browser. At that moment, the server renders the stored, unsanitized data, causing the malicious script to execute in the context of the victim’s browser session. This is the classic “stored” or “persistent” XSS attack vector.
The impact is severe. The injected script can perform actions on behalf of the authenticated user, leading to session hijacking, credential theft, and unauthorized administrative actions. An attacker could potentially exfiltrate sensitive data, modify build configurations, or pivot to other parts of the infrastructure.
The vulnerability is mapped to CWE-79 (Improper Neutralization of Input During Web Page Generation) and is associated with the MITRE ATT&CK technique T1059.007 for Command and Scripting Interpreter: JavaScript. The issue was patched in TeamCity version 2026.1.2, which introduces strict input validation and context-aware output encoding for all agent registration parameters.

DailyCVE Form:

Platform: …… JetBrains TeamCity
Version: …….. prior to 2026.1.2
Vulnerability :…… Stored Cross-Site Scripting (XSS)
Severity: ……. HIGH (CVSS 8.1)
date: ………. July 10, 2026

Prediction: …… July 1, 2026

What Undercode Say:

Check current TeamCity version
cat /opt/teamcity/buildAgent/conf/buildAgent.properties | grep version
Alternatively, check via API
curl -s http://<teamcity-server>:8111/update/version.xml | grep version

Analytics:

The vulnerability resides in the unauthenticated agent registration endpoint, typically exposed at `/app/agents` or similar paths. Below is a cURL example demonstrating how an attacker could inject a payload:

Exploit simulation: Inject XSS payload via agent registration
curl -X POST "http://<teamcity-server>:8111/app/agents" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "name=<script>alert('CVE-2026-59795')</script>&hostname=malicious-agent&description=test"

After successful injection, any administrator visiting the Agents page will trigger the payload:

<!-- Vulnerable rendering in TeamCity UI -->

<div class="agent-name">
<script>alert('CVE-2026-59795')</script>
</div>

Exploit:

A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted POST request to the agent registration endpoint. The request contains a JavaScript payload within parameters like name, hostname, or description. Since these fields are not properly sanitized, the payload is stored in the database. When an administrator or any user with view permissions accesses the Agents list or details page, the script executes in their browser, enabling session hijacking, credential theft, or unauthorized actions.

Protection:

  1. Upgrade TeamCity to version 2026.1.2 or later, which contains the official patch.
  2. Restrict network access to the agent registration endpoint, allowing only trusted IP addresses.
  3. Deploy a Web Application Firewall (WAF) to detect and block suspicious registration requests containing script patterns.
  4. Conduct regular security scans using tools like OWASP ZAP or Burp Suite to identify similar issues.
  5. Implement robust logging and monitoring to detect unauthorized registration attempts or anomalous script execution patterns.

Impact:

Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript in the context of an authenticated user’s session. This can lead to:
Session Hijacking: Stealing session cookies to impersonate legitimate users.
Credential Theft: Capturing user credentials entered on the page.
Privilege Escalation: Performing administrative actions on behalf of a logged-in administrator.
Data Exfiltration: Accessing and stealing sensitive build artifacts, source code, or configuration data.
Lateral Movement: Using the compromised session to pivot to other internal systems.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top