Teamcity
by Jetbrains
Source repositories
CVEs (267)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-36371 | 0.04 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2023.05.6, 2023.11.5 stored XSS in Commit status publisher was possible | |||
| CVE-2024-36370 | 0.04 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via OAuth connection settings was possible | |||
| CVE-2024-36369 | 0.04 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via issue tracker integration was possible | |||
| CVE-2024-36366 | 0.04 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 an XSS could be executed via certain report grouping and filtering operations | |||
| CVE-2024-36363 | 0.04 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 several Stored XSS in code inspection reports were possible | |||
| CVE-2025-31140 | 0.03 | — | 0.27 | Mar 27, 2025 | In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page | |||
| CVE-2024-56355 | 0.03 | — | 0.01 | Dec 20, 2024 | In JetBrains TeamCity before 2024.12 missing Content-Type header in RemoteBuildLogController response could lead to XSS | |||
| CVE-2024-56352 | 0.03 | — | 0.01 | Dec 20, 2024 | In JetBrains TeamCity before 2024.12 stored XSS was possible via image name on the agent details page | |||
| CVE-2024-43807 | 0.03 | — | 0.00 | Aug 16, 2024 | In JetBrains TeamCity before 2024.07.1 multiple stored XSS was possible on Clouds page | |||
| CVE-2019-15039 | 0.03 | — | 0.13 | Oct 1, 2019 | An issue was discovered in JetBrains TeamCity 2018.2.4. It had a possible remote code execution issue. This was fixed in TeamCity 2019.1. | |||
| CVE-2025-24459 | 0.02 | — | 0.03 | Jan 21, 2025 | In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page | |||
| CVE-2024-36372 | 0.02 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2023.05.6 reflected XSS on the subscriptions page was possible | |||
| CVE-2024-36367 | 0.02 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via third-party reports was possible | |||
| CVE-2025-26493 | 0.01 | — | 0.00 | Feb 11, 2025 | In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab | |||
| CVE-2026-28196 | 0.00 | — | 0.00 | Feb 25, 2026 | In JetBrains TeamCity before 2025.11.3 disabling versioned settings left a credentials config on disk | |||
| CVE-2026-28195 | 0.00 | — | 0.00 | Feb 25, 2026 | In JetBrains TeamCity before 2025.11.3 missing authorization allowed project developers to add parameters to build configurations | |||
| CVE-2026-28194 | 0.00 | — | 0.00 | Feb 25, 2026 | In JetBrains TeamCity before 2025.11.3 open redirect was possible in the React project creation flow | |||
| CVE-2025-68268 | 0.00 | — | 0.00 | Dec 16, 2025 | In JetBrains TeamCity before 2025.11.1 reflected XSS was possible on the storage settings page | |||
| CVE-2025-68267 | 0.00 | — | 0.00 | Dec 16, 2025 | In JetBrains TeamCity before 2025.11.1 excessive privileges were possible due to storing GitHub personal access token instead of an installation token | |||
| CVE-2025-68166 | 0.00 | — | 0.00 | Dec 16, 2025 | In JetBrains TeamCity before 2025.11 a DOM-based XSS was possible on the OAuth connections tab |
- CVE-2024-36371May 29, 2024risk 0.04cvss —epss 0.00
In JetBrains TeamCity before 2023.05.6, 2023.11.5 stored XSS in Commit status publisher was possible
- CVE-2024-36370May 29, 2024risk 0.04cvss —epss 0.00
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via OAuth connection settings was possible
- CVE-2024-36369May 29, 2024risk 0.04cvss —epss 0.00
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via issue tracker integration was possible
- CVE-2024-36366May 29, 2024risk 0.04cvss —epss 0.00
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 an XSS could be executed via certain report grouping and filtering operations
- CVE-2024-36363May 29, 2024risk 0.04cvss —epss 0.00
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 several Stored XSS in code inspection reports were possible
- CVE-2025-31140Mar 27, 2025risk 0.03cvss —epss 0.27
In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page
- CVE-2024-56355Dec 20, 2024risk 0.03cvss —epss 0.01
In JetBrains TeamCity before 2024.12 missing Content-Type header in RemoteBuildLogController response could lead to XSS
- CVE-2024-56352Dec 20, 2024risk 0.03cvss —epss 0.01
In JetBrains TeamCity before 2024.12 stored XSS was possible via image name on the agent details page
- CVE-2024-43807Aug 16, 2024risk 0.03cvss —epss 0.00
In JetBrains TeamCity before 2024.07.1 multiple stored XSS was possible on Clouds page
- CVE-2019-15039Oct 1, 2019risk 0.03cvss —epss 0.13
An issue was discovered in JetBrains TeamCity 2018.2.4. It had a possible remote code execution issue. This was fixed in TeamCity 2019.1.
- CVE-2025-24459Jan 21, 2025risk 0.02cvss —epss 0.03
In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page
- CVE-2024-36372May 29, 2024risk 0.02cvss —epss 0.00
In JetBrains TeamCity before 2023.05.6 reflected XSS on the subscriptions page was possible
- CVE-2024-36367May 29, 2024risk 0.02cvss —epss 0.00
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via third-party reports was possible
- CVE-2025-26493Feb 11, 2025risk 0.01cvss —epss 0.00
In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab
- CVE-2026-28196Feb 25, 2026risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2025.11.3 disabling versioned settings left a credentials config on disk
- CVE-2026-28195Feb 25, 2026risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2025.11.3 missing authorization allowed project developers to add parameters to build configurations
- CVE-2026-28194Feb 25, 2026risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2025.11.3 open redirect was possible in the React project creation flow
- CVE-2025-68268Dec 16, 2025risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2025.11.1 reflected XSS was possible on the storage settings page
- CVE-2025-68267Dec 16, 2025risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2025.11.1 excessive privileges were possible due to storing GitHub personal access token instead of an installation token
- CVE-2025-68166Dec 16, 2025risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2025.11 a DOM-based XSS was possible on the OAuth connections tab
Page 2 of 14