CVE-2025-26493

CVE-2025-26493 is a set of DOM-based cross-site scripting (XSS) vulnerabilities, classified under CWE-79, affecting JetBrains TeamCity versions prior to 2024.12.2. These flaws exist specifically on the Code Inspection Report tab, where untrusted input could be executed in the victim's browser context. The vulnerability received a CVSS v3.1 base score of 4.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, and requirements for low privileges and user interaction.

An attacker with low-privileged access to a TeamCity instance could exploit these XSS issues by crafting malicious payloads targeted at the Code Inspection Report tab. Exploitation requires tricking an authenticated user—such as another team member or administrator—into interacting with the malicious content, for example by viewing a tampered report. Successful exploitation would enable limited impacts, including low-level disclosure of sensitive data in the browser (such as session tokens) or minor manipulation of page content, without affecting availability or escalating privileges.

JetBrains addressed these vulnerabilities in TeamCity 2024.12.2, as detailed in their security bulletin at https://www.jetbrains.com/privacy-security/issues-fixed/. Security practitioners should prioritize upgrading affected instances to the patched version and review access controls on the Code Inspection Report feature to minimize exposure.