PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49371 JetBrains CVE debrief

A reflected cross-site scripting (XSS) vulnerability exists in JetBrains TeamCity versions prior to 2026.1.1. The flaw resides in the keyword filter functionality, where insufficient input sanitization allows attacker-controlled script content to execute in a victim's browser context. With a CVSS 3.1 score of 7.1 (High), this vulnerability presents significant risk due to its network attack vector, low attack complexity, and no required privileges—though user interaction is necessary. The confidentiality impact is rated High, while integrity impact is Low, with no availability impact. The underlying weakness is CWE-79 (Improper Neutralization of Input During Web Page Generation). JetBrains has addressed this issue in TeamCity 2026.1.1. Organizations should prioritize upgrading to this version or later to eliminate the attack surface.

Vendor
JetBrains
Product
TeamCity
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations running JetBrains TeamCity CI/CD infrastructure, particularly those with externally accessible instances or multi-user environments where the keyword filter functionality is exposed to untrusted input sources.

Technical summary

Reflected XSS in TeamCity < 2026.1.1 keyword filter; CVSS 7.1; fixed in 2026.1.1

Defensive priority

high

Recommended defensive actions

  • Upgrade JetBrains TeamCity to version 2026.1.1 or later to remediate the reflected XSS vulnerability in the keyword filter.
  • If immediate patching is not feasible, implement Web Application Firewall (WAF) rules to detect and block XSS payloads targeting the keyword filter parameter.
  • Review access logs for suspicious requests to keyword filter endpoints containing script tags or encoded JavaScript patterns.
  • Validate that Content Security Policy (CSP) headers are configured to mitigate impact of any unpatched XSS vectors.

Evidence notes

CVE published 2026-05-29; NVD status 'Undergoing Analysis' as of source timestamp. Vendor advisory confirms fix in TeamCity 2026.1.1. CVSS vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N.

Official resources

2026-05-29