CVE-2025-26493 – Multiple DOM-based cross-site scripting (XSS) v... (How to Fix)

Q: What is the severity of CVE-2025-26493?

CVE-2025-26493 has a CVSS score of 4.6 (MEDIUM). Multiple DOM-based cross-site scripting (XSS) vulnerabilities exist in JetBrains TeamCity's Code Inspection Report tab. These allow attackers to inject malicious scripts that execute in users' browsers when viewing manipulated reports. Organizations using vulnerable TeamCity versions are affected.

📋 TL;DR

Multiple DOM-based cross-site scripting (XSS) vulnerabilities exist in JetBrains TeamCity's Code Inspection Report tab. These allow attackers to inject malicious scripts that execute in users' browsers when viewing manipulated reports. Organizations using vulnerable TeamCity versions are affected.

💻 Affected Systems

Products:

JetBrains TeamCity

Versions: All versions before 2024.12.2

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the web interface's Code Inspection Report tab functionality.

📦 What is this software?

Teamcity by Jetbrains

View all CVEs affecting Teamcity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to full TeamCity compromise.

🟠

Likely Case

Attackers with access to create or modify code inspection reports could inject scripts that steal session data from users viewing those reports.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before reaching users' browsers.

🌐 Internet-Facing: MEDIUM - While exploitation requires user interaction, internet-facing TeamCity instances are accessible to external attackers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could exploit this to escalate privileges within the TeamCIty environment.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to create or modify code inspection reports, and victim must view the manipulated report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.12.2

Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/

Restart Required: Yes

Instructions:

1. Backup TeamCity configuration and data. 2. Download TeamCity 2024.12.2 from JetBrains website. 3. Stop TeamCity service. 4. Install the update following JetBrains upgrade guide. 5. Restart TeamCity service. 6. Verify successful upgrade.

🔧 Temporary Workarounds

Restrict Code Inspection Report Access

all

Limit who can create or modify code inspection reports to trusted users only.

Content Security Policy

all

Implement strict Content Security Policy headers to mitigate XSS impact.

🧯 If You Can't Patch

Implement strict access controls on code inspection report creation/modification
Monitor for suspicious activity in TeamCity audit logs

🔍 How to Verify

Check if Vulnerable:

Check TeamCity version in Administration → Server Administration → Server Health → Version

Check Version:

Check TeamCity web interface or server logs for version information

Verify Fix Applied:

Confirm version is 2024.12.2 or later in the same location

📡 Detection & Monitoring

Log Indicators:

Unusual code inspection report creation/modification patterns
Suspicious JavaScript in report data

Network Indicators:

Unexpected external script loading in TeamCity traffic

SIEM Query:

source="teamcity" AND (event="report_creation" OR event="report_modification") AND user NOT IN [trusted_users]

📊 Metadata

CVE ID: CVE-2025-26493

CVSS v3 Score: 4.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 11.44% exploit probability (93.4th percentile)

Published: February 11, 2025

Last Updated: May 16, 2025

🔗 References

https://www.jetbrains.com/privacy-security/issues-fixed/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26493, you might also want to check these: