JetBrains Teamcity

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in JetBrains Teamcity.

Known Exploited JetBrains Teamcity Vulnerabilities

The following JetBrains Teamcity vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title	Description	Added
JetBrains TeamCity Authentication Bypass Vulnerability	JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions. CVE-2024-27198 Exploit Probability: 94.6%	March 7, 2024
JetBrains TeamCity Authentication Bypass Vulnerability	JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server. CVE-2023-42793 Exploit Probability: 92.9%	October 4, 2023

Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 0 vulnerabilities in JetBrains Teamcity. Last year, in 2025 Teamcity had 48 security vulnerabilities published. Right now, Teamcity is on track to have less security vulnerabilities in 2026 than it did last year.

Year	Vulnerabilities	Average Score
2026	0	0.00
2025	48	6.06
2024	65	6.30
2023	35	6.36
2022	29	6.64
2021	37	6.52
2020	18	5.87
2019	20	6.10

It may take a day or so for new Teamcity vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent JetBrains Teamcity Security Vulnerabilities

TeamCity Reflected XSS (Storage Settings) before 2025.11.1
CVE-2025-68268 5.4 - Medium - December 16, 2025

In JetBrains TeamCity before 2025.11.1 reflected XSS was possible on the storage settings page

XSS

JetBrains TeamCity < 2025.11.1: GitHub PA Token Stored Privilege Escalation
CVE-2025-68267 6.5 - Medium - December 16, 2025

In JetBrains TeamCity before 2025.11.1 excessive privileges were possible due to storing GitHub personal access token instead of an installation token

Least Privilege Violation

JetBrains TeamCity <=2025.10 DOM XSS on OAuth Connections Tab
CVE-2025-68166 5.4 - Medium - December 16, 2025

In JetBrains TeamCity before 2025.11 a DOM-based XSS was possible on the OAuth connections tab

XSS

JetBrains TeamCity pre-2025.11: VCS Root setup Reflected XSS
CVE-2025-68165 5.4 - Medium - December 16, 2025

In JetBrains TeamCity before 2025.11 reflected XSS was possible on VCS Root setup

XSS

JetBrains TeamCity Port Enumeration via Perforce Conn Test (pre-2025.11)
CVE-2025-68164 2.7 - Low - December 16, 2025

In JetBrains TeamCity before 2025.11 port enumeration was possible via the Perforce connection test

Side Channel Attack

TeamCity <2025.11: stored XSS on agentpushInstall page
CVE-2025-68163 3.5 - Low - December 16, 2025

In JetBrains TeamCity before 2025.11 stored XSS was possible on agentpushInstall page

XSS

TeamCity <2025.11: Maven Embedder allows Unrestricted Extension Loading
CVE-2025-68162 2.7 - Low - December 16, 2025

In JetBrains TeamCity before 2025.11 maven embedder allowed loading extensions via project configuration

Inclusion of Functionality from Untrusted Control Sphere

TeamCity < 2025.11 Path Traversal via File Upload (CVE-2025-67742)
CVE-2025-67742 3.8 - Low - December 11, 2025

In JetBrains TeamCity before 2025.11 path traversal was possible via file upload

Directory traversal

JetBrains TeamCity 2025.10 Stored XSS via session attribute
CVE-2025-67741 4.8 - Medium - December 11, 2025

In JetBrains TeamCity before 2025.11 stored XSS was possible via session attribute

XSS

JetBrains TeamCity <2025.11: Improper Access Control Exposes GH Token Metadata
CVE-2025-67740 2.7 - Low - December 11, 2025

In JetBrains TeamCity before 2025.11 improper access control could expose GitHub App token's metadata

AuthZ

JetBrains TeamCity <2025.11.2 Rp URL Validation flaw => Local Path Disclosure
CVE-2025-67739 3.1 - Low - December 11, 2025

In JetBrains TeamCity before 2025.11.2 improper repository URL validation could lead to local paths disclosure

Improper Authorization in Handler for Custom URL Scheme

TeamCity < 2025.07.2 Git URL Validation Flaw Causing Credential Leak on Windows
CVE-2025-59457 7.7 - High - September 17, 2025

In JetBrains TeamCity before 2025.07.2 missing Git URL validation allowed credential leakage on Windows

Allowlist / Allow List

JetBrains TeamCity <2025.07.2 PT on Project Archive Upload
CVE-2025-59456 5.5 - Medium - September 17, 2025

In JetBrains TeamCity before 2025.07.2 path traversal was possible during project archive upload

Relative Path Traversal

JetBrains TeamCity Project Isolation Bypass (Race Cond.)
CVE-2025-59455 4.2 - Medium - September 17, 2025

In JetBrains TeamCity before 2025.07.2 project isolation bypass was possible due to race condition

Race Condition

JetBrains TeamCity <2025.07.1> Privilege Escalation via Wrong Dir Ownership
CVE-2025-57732 - August 20, 2025

In JetBrains TeamCity before 2025.07.1 privilege escalation was possible due to incorrect directory ownership

Improper Ownership Management

TeamCity <2025.07.1 – SMTP Injection via email component
CVE-2025-57733 - August 20, 2025

In JetBrains TeamCity before 2025.07.1 sMTP injection was possible allowing modification of email content

Command Injection

TeamCity <2025.07.1: AWS Creds Leak in Docker Scripts
CVE-2025-57734 - August 20, 2025

In JetBrains TeamCity before 2025.07.1 aWS credentials were exposed in Docker script files

Insertion of Sensitive Information into Externally-Accessible File or Directory

TeamCity before 2025.07: Password Exposure via hg pull command line
CVE-2025-54538 - July 28, 2025

In JetBrains TeamCity before 2025.07 password exposure was possible via command line in the "hg pull" command

Cleartext Storage of Sensitive Information

TeamCity <=2025.07: Credentials stored in plain text in memory snapshots
CVE-2025-54537 - July 28, 2025

In JetBrains TeamCity before 2025.07 user credentials were stored in plain text in memory snapshots

Cleartext Storage of Sensitive Information

JetBrains TeamCity <2025.07 Weak Hashing of Reset/Verify Tokens
CVE-2025-54535 7.5 - High - July 28, 2025

In JetBrains TeamCity before 2025.07 password reset and email verification tokens were using weak hashing algorithms

Reversible One-Way Hash

TeamCity <=2025.07 Reflected XSS on agentpushPreset
CVE-2025-54534 - July 28, 2025

In JetBrains TeamCity before 2025.07 reflected XSS was possible on the agentpushPreset page

XSS

TeamCity before 2025.07: Improper Access Control Exposes VCS Build Settings
CVE-2025-54533 - July 28, 2025

In JetBrains TeamCity before 2025.07 improper access control allowed disclosure of build settings via VCS configuration

AuthZ

TeamCity <=2025.07 Improper Access Control - Disclosure of Build Settings
CVE-2025-54532 - July 28, 2025

In JetBrains TeamCity before 2025.07 improper access control allowed disclosure of build settings via snapshot dependencies

AuthZ

TeamCity 2025.07 Path Traversal via Plugin Unpacking on Windows
CVE-2025-54531 9.4 - Critical - July 28, 2025

In JetBrains TeamCity before 2025.07 path traversal was possible via plugin unpacking on Windows

Relative Path Traversal

JetBrains TeamCity <=2025.06 Priv Escalation via Incorrect Directory Permissions
CVE-2025-54530 9.8 - Critical - July 28, 2025

In JetBrains TeamCity before 2025.07 privilege escalation was possible due to incorrect directory permissions

Incorrect Default Permissions

JetBrains TeamCity < 2025.07 CSRF via External OAuth
CVE-2025-54529 7.5 - High - July 28, 2025

In JetBrains TeamCity before 2025.07 a CSRF was possible in external OAuth login integration

Session Riding

JetBrains TeamCity CSRF in GitHub App flow (before 2025.07)
CVE-2025-54528 8.8 - High - July 28, 2025

In JetBrains TeamCity before 2025.07 a CSRF was possible in GitHub App connection flow

Session Riding

JetBrains TeamCity <2025.07 CSRF on GraphQL Endpoint
CVE-2025-54536 8.8 - High - July 28, 2025

In JetBrains TeamCity before 2025.07 a CSRF was possible on GraphQL endpoint

Session Riding

JetBrains TeamCity DOM XSS < 2025.03.3 Performance Monitor
CVE-2025-52875 - June 23, 2025

In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible

XSS

Reflected XSS in JetBrains TeamCity <2025.03.3 favoriteIcon
CVE-2025-52876 - June 23, 2025

In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible

XSS

TeamCity diskUsageBuildsStats XSS Before 2025.03.3
CVE-2025-52877 - June 23, 2025

In JetBrains TeamCity before 2025.03.3 reflected XSS on diskUsageBuildsStats page was possible

XSS

JetBrains TeamCity usernames exposed before 2025.03.3
CVE-2025-52878 - June 23, 2025

In JetBrains TeamCity before 2025.03.3 usernames were exposed to the users without proper permissions

AuthZ

JetBrains TeamCity <2025.03.3: Reflected XSS via NPM Reg
CVE-2025-52879 - June 23, 2025

In JetBrains TeamCity before 2025.03.3 reflected XSS in the NPM Registry integration was possible

XSS

TeamCity <=2025.03.2 Stored XSS via GitHub Checks Webhook
CVE-2025-47851 5.4 - Medium - May 20, 2025

In JetBrains TeamCity before 2025.03.2 stored XSS via GitHub Checks Webhook was possible

XSS

TeamCity <= 2025.03.2 Stored XSS via YouTrack integration
CVE-2025-47852 5.4 - Medium - May 20, 2025

In JetBrains TeamCity before 2025.03.2 stored XSS via YouTrack integration was possible

XSS

TeamCity < 2025.03.2 XSS via Jira Integration
CVE-2025-47853 5.4 - Medium - May 20, 2025

In JetBrains TeamCity before 2025.03.2 stored XSS via Jira integration was possible

XSS

TeamCity <2025.03.2 VCS Root Edit Open Redirect
CVE-2025-47854 6.1 - Medium - May 20, 2025

In JetBrains TeamCity before 2025.03.2 open redirect was possible on editing VCS Root page

Open Redirect

JetBrains TeamCity XSS on Data Directory Tab (pre-2025.03.1)
CVE-2025-46618 6.1 - Medium - April 25, 2025

In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab

XSS

TeamCity <2025.03.1 Path Validation via loggingPreset | CVE-2025-46433
CVE-2025-46433 9.8 - Critical - April 25, 2025

In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible

Directory traversal

JetBrains TeamCity <2025.03.1: Base64 Credentials Exposed in Logs
CVE-2025-46432 6.5 - Medium - April 25, 2025

In JetBrains TeamCity before 2025.03.1 base64-encoded credentials could be exposed in build logs

Insertion of Sensitive Information into Log File

Base64 Password Exposure via Build Log in JetBrains TeamCity <2025.03
CVE-2025-31139 6.5 - Medium - March 27, 2025

In JetBrains TeamCity before 2025.03 base64 encoded password could be exposed in build log

Insertion of Sensitive Information into Log File

TeamCity < 2025.03 credential leakage via Cloud Profiles Exception
CVE-2025-31141 7.5 - High - March 27, 2025

In JetBrains TeamCity before 2025.03 exception could lead to credential leakage on Cloud Profiles page

Generation of Error Message Containing Sensitive Information

TeamCity XSS on Cloud Profiles page before 2025.03
CVE-2025-31140 6.1 - Medium - March 27, 2025

In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page

XSS

JetBrains TeamCity DOM-based XSS on Code Inspection Report tab <2024.12.2
CVE-2025-26493 6.1 - Medium - February 11, 2025

In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab

XSS

TeamCity <v2024.12.2 Improper Kubernetes Con Settings Expose Resources
CVE-2025-26492 9.1 - Critical - February 11, 2025

In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources

Insufficiently Protected Credentials

JetBrains TeamCity < 2024.12.1 Improper Access: View Project Names in Agent Pool
CVE-2025-24460 4.3 - Medium - January 21, 2025

In JetBrains TeamCity before 2024.12.1 improper access control allowed to see Projects names in the agent pool

AuthZ

TeamCity <2024.12.1 Decrypts Connection Secrets via Test Conn
CVE-2025-24461 6.5 - Medium - January 21, 2025

In JetBrains TeamCity before 2024.12.1 decryption of connection secrets without proper permissions was possible via Test Connection endpoint

AuthZ

JetBrains TeamCity <=2024.12.1 Reflected XSS on Vault Connection
CVE-2025-24459 6.1 - Medium - January 21, 2025

In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page

XSS

JetBrains TeamCity Improper Access Control Vulnerability in Build Logs
CVE-2024-56349 5.3 - Medium - December 20, 2024

In JetBrains TeamCity before 2024.12 improper access control allowed unauthorized users to modify build logs

AuthZ

JetBrains TeamCity Access Token Revocation Failure
CVE-2024-56351 8.8 - High - December 20, 2024

In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles

Insufficient Session Expiration

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for JetBrains Teamcity or by JetBrains? Click the Watch button to subscribe.

JetBrains
Vendor

JetBrains Teamcity
Product

JetBrains Teamcity

Don't miss out!

Known Exploited JetBrains Teamcity Vulnerabilities

By the Year

Recent JetBrains Teamcity Security Vulnerabilities

TeamCity Reflected XSS (Storage Settings) before 2025.11.1 CVE-2025-68268 5.4 - Medium - December 16, 2025

JetBrains TeamCity < 2025.11.1: GitHub PA Token Stored Privilege Escalation CVE-2025-68267 6.5 - Medium - December 16, 2025

JetBrains TeamCity <=2025.10 DOM XSS on OAuth Connections Tab CVE-2025-68166 5.4 - Medium - December 16, 2025

JetBrains TeamCity pre-2025.11: VCS Root setup Reflected XSS CVE-2025-68165 5.4 - Medium - December 16, 2025

JetBrains TeamCity Port Enumeration via Perforce Conn Test (pre-2025.11) CVE-2025-68164 2.7 - Low - December 16, 2025

TeamCity <2025.11: stored XSS on agentpushInstall page CVE-2025-68163 3.5 - Low - December 16, 2025

TeamCity <2025.11: Maven Embedder allows Unrestricted Extension Loading CVE-2025-68162 2.7 - Low - December 16, 2025

TeamCity < 2025.11 Path Traversal via File Upload (CVE-2025-67742) CVE-2025-67742 3.8 - Low - December 11, 2025

JetBrains TeamCity 2025.10 Stored XSS via session attribute CVE-2025-67741 4.8 - Medium - December 11, 2025

JetBrains TeamCity <2025.11: Improper Access Control Exposes GH Token Metadata CVE-2025-67740 2.7 - Low - December 11, 2025

JetBrains TeamCity <2025.11.2 Rp URL Validation flaw => Local Path Disclosure CVE-2025-67739 3.1 - Low - December 11, 2025

TeamCity < 2025.07.2 Git URL Validation Flaw Causing Credential Leak on Windows CVE-2025-59457 7.7 - High - September 17, 2025

JetBrains TeamCity <2025.07.2 PT on Project Archive Upload CVE-2025-59456 5.5 - Medium - September 17, 2025

JetBrains TeamCity Project Isolation Bypass (Race Cond.) CVE-2025-59455 4.2 - Medium - September 17, 2025

JetBrains TeamCity <2025.07.1> Privilege Escalation via Wrong Dir Ownership CVE-2025-57732 - August 20, 2025

TeamCity <2025.07.1 – SMTP Injection via email component CVE-2025-57733 - August 20, 2025

TeamCity <2025.07.1: AWS Creds Leak in Docker Scripts CVE-2025-57734 - August 20, 2025

TeamCity before 2025.07: Password Exposure via hg pull command line CVE-2025-54538 - July 28, 2025

TeamCity <=2025.07: Credentials stored in plain text in memory snapshots CVE-2025-54537 - July 28, 2025

JetBrains TeamCity <2025.07 Weak Hashing of Reset/Verify Tokens CVE-2025-54535 7.5 - High - July 28, 2025

TeamCity <=2025.07 Reflected XSS on agentpushPreset CVE-2025-54534 - July 28, 2025

TeamCity before 2025.07: Improper Access Control Exposes VCS Build Settings CVE-2025-54533 - July 28, 2025

TeamCity <=2025.07 Improper Access Control - Disclosure of Build Settings CVE-2025-54532 - July 28, 2025

TeamCity 2025.07 Path Traversal via Plugin Unpacking on Windows CVE-2025-54531 9.4 - Critical - July 28, 2025

JetBrains TeamCity <=2025.06 Priv Escalation via Incorrect Directory Permissions CVE-2025-54530 9.8 - Critical - July 28, 2025

JetBrains TeamCity < 2025.07 CSRF via External OAuth CVE-2025-54529 7.5 - High - July 28, 2025

JetBrains TeamCity CSRF in GitHub App flow (before 2025.07) CVE-2025-54528 8.8 - High - July 28, 2025

JetBrains TeamCity <2025.07 CSRF on GraphQL Endpoint CVE-2025-54536 8.8 - High - July 28, 2025

JetBrains TeamCity DOM XSS < 2025.03.3 Performance Monitor CVE-2025-52875 - June 23, 2025

Reflected XSS in JetBrains TeamCity <2025.03.3 favoriteIcon CVE-2025-52876 - June 23, 2025

TeamCity diskUsageBuildsStats XSS Before 2025.03.3 CVE-2025-52877 - June 23, 2025

JetBrains TeamCity usernames exposed before 2025.03.3 CVE-2025-52878 - June 23, 2025

JetBrains TeamCity <2025.03.3: Reflected XSS via NPM Reg CVE-2025-52879 - June 23, 2025

TeamCity <=2025.03.2 Stored XSS via GitHub Checks Webhook CVE-2025-47851 5.4 - Medium - May 20, 2025

TeamCity <= 2025.03.2 Stored XSS via YouTrack integration CVE-2025-47852 5.4 - Medium - May 20, 2025

TeamCity < 2025.03.2 XSS via Jira Integration CVE-2025-47853 5.4 - Medium - May 20, 2025

TeamCity <2025.03.2 VCS Root Edit Open Redirect CVE-2025-47854 6.1 - Medium - May 20, 2025

JetBrains TeamCity XSS on Data Directory Tab (pre-2025.03.1) CVE-2025-46618 6.1 - Medium - April 25, 2025

TeamCity <2025.03.1 Path Validation via loggingPreset | CVE-2025-46433 CVE-2025-46433 9.8 - Critical - April 25, 2025

JetBrains TeamCity <2025.03.1: Base64 Credentials Exposed in Logs CVE-2025-46432 6.5 - Medium - April 25, 2025

Base64 Password Exposure via Build Log in JetBrains TeamCity <2025.03 CVE-2025-31139 6.5 - Medium - March 27, 2025

TeamCity < 2025.03 credential leakage via Cloud Profiles Exception CVE-2025-31141 7.5 - High - March 27, 2025

TeamCity XSS on Cloud Profiles page before 2025.03 CVE-2025-31140 6.1 - Medium - March 27, 2025

JetBrains TeamCity DOM-based XSS on Code Inspection Report tab <2024.12.2 CVE-2025-26493 6.1 - Medium - February 11, 2025

TeamCity <v2024.12.2 Improper Kubernetes Con Settings Expose Resources CVE-2025-26492 9.1 - Critical - February 11, 2025

JetBrains TeamCity < 2024.12.1 Improper Access: View Project Names in Agent Pool CVE-2025-24460 4.3 - Medium - January 21, 2025

TeamCity <2024.12.1 Decrypts Connection Secrets via Test Conn CVE-2025-24461 6.5 - Medium - January 21, 2025

JetBrains TeamCity <=2024.12.1 Reflected XSS on Vault Connection CVE-2025-24459 6.1 - Medium - January 21, 2025

JetBrains TeamCity Improper Access Control Vulnerability in Build Logs CVE-2024-56349 5.3 - Medium - December 20, 2024

JetBrains TeamCity Access Token Revocation Failure CVE-2024-56351 8.8 - High - December 20, 2024

Stay on top of Security Vulnerabilities

JetBrains Vendor

JetBrains TeamcityProduct

TeamCity Reflected XSS (Storage Settings) before 2025.11.1
CVE-2025-68268 5.4 - Medium - December 16, 2025

JetBrains TeamCity < 2025.11.1: GitHub PA Token Stored Privilege Escalation
CVE-2025-68267 6.5 - Medium - December 16, 2025

JetBrains TeamCity <=2025.10 DOM XSS on OAuth Connections Tab
CVE-2025-68166 5.4 - Medium - December 16, 2025

JetBrains TeamCity pre-2025.11: VCS Root setup Reflected XSS
CVE-2025-68165 5.4 - Medium - December 16, 2025

JetBrains TeamCity Port Enumeration via Perforce Conn Test (pre-2025.11)
CVE-2025-68164 2.7 - Low - December 16, 2025

TeamCity <2025.11: stored XSS on agentpushInstall page
CVE-2025-68163 3.5 - Low - December 16, 2025

TeamCity <2025.11: Maven Embedder allows Unrestricted Extension Loading
CVE-2025-68162 2.7 - Low - December 16, 2025

TeamCity < 2025.11 Path Traversal via File Upload (CVE-2025-67742)
CVE-2025-67742 3.8 - Low - December 11, 2025

JetBrains TeamCity 2025.10 Stored XSS via session attribute
CVE-2025-67741 4.8 - Medium - December 11, 2025

JetBrains TeamCity <2025.11: Improper Access Control Exposes GH Token Metadata
CVE-2025-67740 2.7 - Low - December 11, 2025

JetBrains TeamCity <2025.11.2 Rp URL Validation flaw => Local Path Disclosure
CVE-2025-67739 3.1 - Low - December 11, 2025

TeamCity < 2025.07.2 Git URL Validation Flaw Causing Credential Leak on Windows
CVE-2025-59457 7.7 - High - September 17, 2025

JetBrains TeamCity <2025.07.2 PT on Project Archive Upload
CVE-2025-59456 5.5 - Medium - September 17, 2025

JetBrains TeamCity Project Isolation Bypass (Race Cond.)
CVE-2025-59455 4.2 - Medium - September 17, 2025

JetBrains TeamCity <2025.07.1> Privilege Escalation via Wrong Dir Ownership
CVE-2025-57732 - August 20, 2025

TeamCity <2025.07.1 – SMTP Injection via email component
CVE-2025-57733 - August 20, 2025

TeamCity <2025.07.1: AWS Creds Leak in Docker Scripts
CVE-2025-57734 - August 20, 2025

TeamCity before 2025.07: Password Exposure via hg pull command line
CVE-2025-54538 - July 28, 2025

TeamCity <=2025.07: Credentials stored in plain text in memory snapshots
CVE-2025-54537 - July 28, 2025

JetBrains TeamCity <2025.07 Weak Hashing of Reset/Verify Tokens
CVE-2025-54535 7.5 - High - July 28, 2025

TeamCity <=2025.07 Reflected XSS on agentpushPreset
CVE-2025-54534 - July 28, 2025

TeamCity before 2025.07: Improper Access Control Exposes VCS Build Settings
CVE-2025-54533 - July 28, 2025

TeamCity <=2025.07 Improper Access Control - Disclosure of Build Settings
CVE-2025-54532 - July 28, 2025

TeamCity 2025.07 Path Traversal via Plugin Unpacking on Windows
CVE-2025-54531 9.4 - Critical - July 28, 2025

JetBrains TeamCity <=2025.06 Priv Escalation via Incorrect Directory Permissions
CVE-2025-54530 9.8 - Critical - July 28, 2025

JetBrains TeamCity < 2025.07 CSRF via External OAuth
CVE-2025-54529 7.5 - High - July 28, 2025

JetBrains TeamCity CSRF in GitHub App flow (before 2025.07)
CVE-2025-54528 8.8 - High - July 28, 2025

JetBrains TeamCity <2025.07 CSRF on GraphQL Endpoint
CVE-2025-54536 8.8 - High - July 28, 2025

JetBrains TeamCity DOM XSS < 2025.03.3 Performance Monitor
CVE-2025-52875 - June 23, 2025

Reflected XSS in JetBrains TeamCity <2025.03.3 favoriteIcon
CVE-2025-52876 - June 23, 2025

TeamCity diskUsageBuildsStats XSS Before 2025.03.3
CVE-2025-52877 - June 23, 2025

JetBrains TeamCity usernames exposed before 2025.03.3
CVE-2025-52878 - June 23, 2025

JetBrains TeamCity <2025.03.3: Reflected XSS via NPM Reg
CVE-2025-52879 - June 23, 2025

TeamCity <=2025.03.2 Stored XSS via GitHub Checks Webhook
CVE-2025-47851 5.4 - Medium - May 20, 2025

TeamCity <= 2025.03.2 Stored XSS via YouTrack integration
CVE-2025-47852 5.4 - Medium - May 20, 2025

TeamCity < 2025.03.2 XSS via Jira Integration
CVE-2025-47853 5.4 - Medium - May 20, 2025

TeamCity <2025.03.2 VCS Root Edit Open Redirect
CVE-2025-47854 6.1 - Medium - May 20, 2025

JetBrains TeamCity XSS on Data Directory Tab (pre-2025.03.1)
CVE-2025-46618 6.1 - Medium - April 25, 2025

TeamCity <2025.03.1 Path Validation via loggingPreset | CVE-2025-46433
CVE-2025-46433 9.8 - Critical - April 25, 2025

JetBrains TeamCity <2025.03.1: Base64 Credentials Exposed in Logs
CVE-2025-46432 6.5 - Medium - April 25, 2025

Base64 Password Exposure via Build Log in JetBrains TeamCity <2025.03
CVE-2025-31139 6.5 - Medium - March 27, 2025

TeamCity < 2025.03 credential leakage via Cloud Profiles Exception
CVE-2025-31141 7.5 - High - March 27, 2025

TeamCity XSS on Cloud Profiles page before 2025.03
CVE-2025-31140 6.1 - Medium - March 27, 2025

JetBrains TeamCity DOM-based XSS on Code Inspection Report tab <2024.12.2
CVE-2025-26493 6.1 - Medium - February 11, 2025

TeamCity <v2024.12.2 Improper Kubernetes Con Settings Expose Resources
CVE-2025-26492 9.1 - Critical - February 11, 2025

JetBrains TeamCity < 2024.12.1 Improper Access: View Project Names in Agent Pool
CVE-2025-24460 4.3 - Medium - January 21, 2025

TeamCity <2024.12.1 Decrypts Connection Secrets via Test Conn
CVE-2025-24461 6.5 - Medium - January 21, 2025

JetBrains TeamCity <=2024.12.1 Reflected XSS on Vault Connection
CVE-2025-24459 6.1 - Medium - January 21, 2025

JetBrains TeamCity Improper Access Control Vulnerability in Build Logs
CVE-2024-56349 5.3 - Medium - December 20, 2024

JetBrains TeamCity Access Token Revocation Failure
CVE-2024-56351 8.8 - High - December 20, 2024

JetBrains
Vendor

JetBrains Teamcity
Product