JetBrains Teamcity
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in JetBrains Teamcity.
Known Exploited JetBrains Teamcity Vulnerabilities
The following JetBrains Teamcity vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| JetBrains TeamCity Authentication Bypass Vulnerability |
JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions. CVE-2024-27198 Exploit Probability: 94.6% |
March 7, 2024 |
| JetBrains TeamCity Authentication Bypass Vulnerability |
JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server. CVE-2023-42793 Exploit Probability: 94.6% |
October 4, 2023 |
Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.
By the Year
In 2025 there have been 20 vulnerabilities in JetBrains Teamcity with an average score of 6.5 out of ten. Last year, in 2024 Teamcity had 65 security vulnerabilities published. Right now, Teamcity is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.16.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 20 | 6.46 |
| 2024 | 65 | 6.30 |
| 2023 | 35 | 6.36 |
| 2022 | 29 | 6.64 |
| 2021 | 37 | 6.52 |
| 2020 | 18 | 5.84 |
| 2019 | 20 | 6.48 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Teamcity vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent JetBrains Teamcity Security Vulnerabilities
In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible
CVE-2025-52875
- June 23, 2025
In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible
XSS
In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible
CVE-2025-52876
- June 23, 2025
In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible
XSS
In JetBrains TeamCity before 2025.03.3 reflected XSS on diskUsageBuildsStats page was possible
CVE-2025-52877
- June 23, 2025
In JetBrains TeamCity before 2025.03.3 reflected XSS on diskUsageBuildsStats page was possible
XSS
In JetBrains TeamCity before 2025.03.3 usernames were exposed to the users without proper permissions
CVE-2025-52878
- June 23, 2025
In JetBrains TeamCity before 2025.03.3 usernames were exposed to the users without proper permissions
AuthZ
In JetBrains TeamCity before 2025.03.3 reflected XSS in the NPM Registry integration was possible
CVE-2025-52879
- June 23, 2025
In JetBrains TeamCity before 2025.03.3 reflected XSS in the NPM Registry integration was possible
XSS
In JetBrains TeamCity before 2025.03.2 stored XSS
CVE-2025-47851
5.4 - Medium
- May 20, 2025
In JetBrains TeamCity before 2025.03.2 stored XSS via GitHub Checks Webhook was possible
XSS
In JetBrains TeamCity before 2025.03.2 stored XSS
CVE-2025-47852
5.4 - Medium
- May 20, 2025
In JetBrains TeamCity before 2025.03.2 stored XSS via YouTrack integration was possible
XSS
In JetBrains TeamCity before 2025.03.2 stored XSS
CVE-2025-47853
5.4 - Medium
- May 20, 2025
In JetBrains TeamCity before 2025.03.2 stored XSS via Jira integration was possible
XSS
In JetBrains TeamCity before 2025.03.2 open redirect was possible on editing VCS Root page
CVE-2025-47854
6.1 - Medium
- May 20, 2025
In JetBrains TeamCity before 2025.03.2 open redirect was possible on editing VCS Root page
Open Redirect
In JetBrains TeamCity before 2025.03.1 base64-encoded credentials could be exposed in build logs
CVE-2025-46432
6.5 - Medium
- April 25, 2025
In JetBrains TeamCity before 2025.03.1 base64-encoded credentials could be exposed in build logs
Insertion of Sensitive Information into Log File
In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible
CVE-2025-46433
9.8 - Critical
- April 25, 2025
In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible
Directory traversal
In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab
CVE-2025-46618
6.1 - Medium
- April 25, 2025
In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab
XSS
In JetBrains TeamCity before 2025.03 base64 encoded password could be exposed in build log
CVE-2025-31139
6.5 - Medium
- March 27, 2025
In JetBrains TeamCity before 2025.03 base64 encoded password could be exposed in build log
Insertion of Sensitive Information into Log File
In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page
CVE-2025-31140
6.1 - Medium
- March 27, 2025
In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page
XSS
In JetBrains TeamCity before 2025.03 exception could lead to credential leakage on Cloud Profiles page
CVE-2025-31141
7.5 - High
- March 27, 2025
In JetBrains TeamCity before 2025.03 exception could lead to credential leakage on Cloud Profiles page
Generation of Error Message Containing Sensitive Information
In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources
CVE-2025-26492
9.1 - Critical
- February 11, 2025
In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources
Insufficiently Protected Credentials
In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab
CVE-2025-26493
6.1 - Medium
- February 11, 2025
In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab
XSS
In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page
CVE-2025-24459
6.1 - Medium
- January 21, 2025
In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page
XSS
In JetBrains TeamCity before 2024.12.1 improper access control
CVE-2025-24460
4.3 - Medium
- January 21, 2025
In JetBrains TeamCity before 2024.12.1 improper access control allowed to see Projects names in the agent pool
AuthZ
In JetBrains TeamCity before 2024.12.1 decryption of connection secrets without proper permissions was possible
CVE-2025-24461
6.5 - Medium
- January 21, 2025
In JetBrains TeamCity before 2024.12.1 decryption of connection secrets without proper permissions was possible via Test Connection endpoint
AuthZ
JetBrains TeamCity Improper Access Control Vulnerability in Agent Details
CVE-2024-56348
4.3 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents
AuthZ
JetBrains TeamCity Improper Access Control Vulnerability in Build Logs
CVE-2024-56349
5.3 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 improper access control allowed unauthorized users to modify build logs
AuthZ
JetBrains TeamCity Unauthorized Project Viewing Vulnerability
CVE-2024-56350
4.3 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects
AuthZ
JetBrains TeamCity Access Token Revocation Failure
CVE-2024-56351
8.8 - High
- December 20, 2024
In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles
Insufficient Session Expiration
JetBrains TeamCity Stored XSS Vulnerability in Agent Details Page
CVE-2024-56352
5.4 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 stored XSS was possible via image name on the agent details page
XSS
JetBrains TeamCity Backup File Exposure Vulnerability
CVE-2024-56353
6.5 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 backup file exposed user credentials and session cookies
Improper Removal of Sensitive Information Before Storage or Transfer
JetBrains TeamCity Password Field Access Vulnerability
CVE-2024-56354
4.9 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 password field value were accessible to users with view settings permission
Insufficiently Protected Credentials
JetBrains TeamCity RemoteBuildLogController XSS Vulnerability
CVE-2024-56355
5.4 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 missing Content-Type header in RemoteBuildLogController response could lead to XSS
XSS
JetBrains TeamCity XMLParser XXE Vulnerability
CVE-2024-56356
7.1 - High
- December 20, 2024
In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack
XXE
In JetBrains TeamCity before 2024.07.3 password could be exposed
CVE-2024-47161
6.5 - Medium
- October 08, 2024
In JetBrains TeamCity before 2024.07.3 password could be exposed via Sonar runner REST API
Insufficiently Protected Credentials
In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible
CVE-2024-47948
7.5 - High
- October 08, 2024
In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible via server backups
Directory traversal
In JetBrains TeamCity before 2024.07.3 path traversal
CVE-2024-47949
7.5 - High
- October 08, 2024
In JetBrains TeamCity before 2024.07.3 path traversal allowed backup file write to arbitrary location
Directory traversal
In JetBrains TeamCity before 2024.07.3 stored XSS was possible in Backup configuration settings
CVE-2024-47950
5.4 - Medium
- October 08, 2024
In JetBrains TeamCity before 2024.07.3 stored XSS was possible in Backup configuration settings
XSS
In JetBrains TeamCity before 2024.07.3 stored XSS was possible
CVE-2024-47951
5.4 - Medium
- October 08, 2024
In JetBrains TeamCity before 2024.07.3 stored XSS was possible via server global settings
XSS
In JetBrains TeamCity before 2024.07.1 reflected XSS was possible in the AWS Core plugin
CVE-2024-43810
5.4 - Medium
- August 16, 2024
In JetBrains TeamCity before 2024.07.1 reflected XSS was possible in the AWS Core plugin
XSS
In JetBrains TeamCity before 2024.07.1 reflected XSS was possible on the agentPushPreset page
CVE-2024-43809
6.1 - Medium
- August 16, 2024
In JetBrains TeamCity before 2024.07.1 reflected XSS was possible on the agentPushPreset page
XSS
In JetBrains TeamCity before 2024.07.1 self XSS was possible in the HashiCorp Vault plugin
CVE-2024-43808
5.4 - Medium
- August 16, 2024
In JetBrains TeamCity before 2024.07.1 self XSS was possible in the HashiCorp Vault plugin
XSS
In JetBrains TeamCity before 2024.07.1 multiple stored XSS was possible on Clouds page
CVE-2024-43807
5.4 - Medium
- August 16, 2024
In JetBrains TeamCity before 2024.07.1 multiple stored XSS was possible on Clouds page
XSS
In JetBrains TeamCity before 2024.07.1 possible privilege escalation due to incorrect directory permissions
CVE-2024-43114
7.8 - High
- August 06, 2024
In JetBrains TeamCity before 2024.07.1 possible privilege escalation due to incorrect directory permissions
Incorrect Default Permissions
In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen
CVE-2024-41829
7.5 - High
- July 22, 2024
In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection
authentification
In JetBrains TeamCity before 2024.07 comparison of authorization tokens took non-constant time
CVE-2024-41828
6.5 - Medium
- July 22, 2024
In JetBrains TeamCity before 2024.07 comparison of authorization tokens took non-constant time
In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration
CVE-2024-41827
9.8 - Critical
- July 22, 2024
In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration
Insufficient Session Expiration
In JetBrains TeamCity before 2024.07 parameters of the "password" type could leak into the build log in some specific cases
CVE-2024-41824
6.5 - Medium
- July 22, 2024
In JetBrains TeamCity before 2024.07 parameters of the "password" type could leak into the build log in some specific cases
Insertion of Sensitive Information into Log File
In JetBrains TeamCity before 2024.07 stored XSS was possible on the Code Inspection tab
CVE-2024-41825
5.4 - Medium
- July 22, 2024
In JetBrains TeamCity before 2024.07 stored XSS was possible on the Code Inspection tab
XSS
In JetBrains TeamCity before 2024.07 stored XSS was possible on Show Connection page
CVE-2024-41826
4.8 - Medium
- July 22, 2024
In JetBrains TeamCity before 2024.07 stored XSS was possible on Show Connection page
XSS
In JetBrains TeamCity before 2024.03.3 application token could be exposed in EC2 Cloud Profile settings
CVE-2024-39879
5.3 - Medium
- July 01, 2024
In JetBrains TeamCity before 2024.03.3 application token could be exposed in EC2 Cloud Profile settings
Insufficiently Protected Credentials
In JetBrains TeamCity before 2024.03.3 private key could be exposed
CVE-2024-39878
5.3 - Medium
- July 01, 2024
In JetBrains TeamCity before 2024.03.3 private key could be exposed via testing GitHub App Connection
Insufficiently Protected Credentials
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 an XSS could be executed
CVE-2024-36366
6.1 - Medium
- May 29, 2024
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 an XSS could be executed via certain report grouping and filtering operations
XSS
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS
CVE-2024-36369
5.4 - Medium
- May 29, 2024
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via issue tracker integration was possible
XSS
In JetBrains TeamCity before 2022.04.7
CVE-2024-36365
8.1 - High
- May 29, 2024
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 a third-party agent could impersonate a cloud agent
AuthZ
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for JetBrains Teamcity or by JetBrains? Click the Watch button to subscribe.
