HarborGuard / CVE
Back to search
HIGHCVE-2026-49371Published Modified CNA JetBrains

CVE-2026-49371: In JetBrains TeamCity before 2026

In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible

HarborGuard Analysis

HarborGuard analysis

Synopsis

Reflected cross-site scripting (XSS) in JetBrains TeamCity lets an attacker inject script into the keyword filter parameter that executes in a victim's browser when they follow a crafted link. The flaw is reachable over the network without authentication, but a logged-in user must click the attacker's URL for the payload to run, after which the attacker can read sensitive page content and perform limited actions in the victim's session. A patched-image rebuild at 2026.1.1 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE record is ingested from upstream feeds within minutes of publication and matched against TeamCity images in customer registries and CI pipelines, including custom-built images that embed TeamCity.

Available
Triage

Triage is available with the published CVSS v3.1 score of 7.1 (High) weighted against each customer's compliance policy, then routed to the security or platform inbox configured for that organization.

Available
Patch

A patched-image rebuild at TeamCity 2026.1.1 is available on HarborGuard for affected environments. For customers who opt into auto-remediation, the rebuild is produced, the regression suite is run, and a pull request is opened against the workloads that reference the affected image.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the TeamCity web interface over the network for the victim to load the crafted URL.

  • AuthenticationNot required

    No attacker credentials are needed to craft or deliver the malicious link.

  • Victim interactionRequired

    A TeamCity user must click an attacker-supplied link containing the malicious keyword filter payload.

  • Attack complexityDetail

    Attack complexity is low; the reflected XSS fires reliably once the victim loads the crafted URL.

Blast Radius

  • Executes attacker-controlled JavaScript in the victim's authenticated TeamCity session.
  • Reads page content visible to the victim, including build configuration and project data shown in the UI.
  • Performs limited write actions in the victim's session within the same-origin context of the TeamCity interface.

How HarborGuard Handles This

Available on HarborGuard: a TeamCity 2026.1.1 rebuild is published for affected environments, and customers with auto-remediation enabled get the rebuild, a regression test run, and a PR opened against workloads pinned to vulnerable versions. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the patched image is staged in the registry and the PR is left open for review.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
2026.1.1
Affected Products
1

Fix available

2026.1.1
Affected packages
  • JetBrains / TeamCity
    < 2026.1.1 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
References