PatchSiren cyber security CVE debrief
CVE-2026-49375 JetBrains CVE debrief
A reflected cross-site scripting (XSS) vulnerability exists in JetBrains TeamCity versions prior to 2026.1 and 2025.11.5. The flaw affects the repository download page and could allow an attacker to execute malicious scripts in a victim's browser context. The CVSS 3.1 score of 6.1 (MEDIUM) reflects network attack vector, low attack complexity, no privileges required, but user interaction required, with scope change and low impacts to confidentiality and integrity. The vulnerability was published to the CVE database on May 29, 2026, and is currently undergoing analysis by NVD. JetBrains has addressed this issue in the specified fixed versions.
- Vendor
- JetBrains
- Product
- TeamCity
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running JetBrains TeamCity CI/CD servers, particularly those with externally accessible repository download pages. Security teams responsible for application security and developers using TeamCity for build automation.
Technical summary
Reflected XSS vulnerability in JetBrains TeamCity before 2026.1 and 2025.11.5 on the repository download page. CVSS 3.1 score 6.1 (MEDIUM). Fixed versions available.
Defensive priority
medium
Recommended defensive actions
- Upgrade JetBrains TeamCity to version 2026.1 or 2025.11.5 or later
- Review access logs for suspicious requests to the repository download page containing script tags or encoded JavaScript payloads
- Implement Content Security Policy (CSP) headers as a defense-in-depth measure
- Validate and sanitize all user-supplied input reflected in web page responses
- Consider web application firewall (WAF) rules to detect and block XSS attempts
Evidence notes
The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The affected product is confirmed as JetBrains TeamCity based on the CVE description and vendor reference. The fix versions are explicitly stated as 2026.1 and 2025.11.5.
Official resources
-
CVE-2026-49375 CVE record
CVE.org
-
CVE-2026-49375 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
JetBrains disclosed this vulnerability through their security issues fixed page. The CVE was assigned and published to NVD on May 29, 2026.