cbcvebase.

Jetbrains Teamcity vulnerabilities

269 known vulnerabilities affecting jetbrains/teamcity.

Total CVEs
269
CISA KEV
3
actively exploited
Public exploits
5
Exploited in wild
4
Severity breakdown
CRITICAL24HIGH54MEDIUM182LOW9

Vulnerabilities

Page 6 of 14
CVE-2026-49376P4MEDIUMCVSS 6.5fixed in 2026.12026-05-29
CVE-2026-49376 [MEDIUM] CWE-863 CVE-2026-49376: In JetBrains TeamCity before 2026.1 insufficient username validation in the SAML plugin In JetBrains TeamCity before 2026.1 insufficient username validation in the SAML plugin
nvd
CVE-2019-12841P4HIGHCVSS 7.5fixed in 2018.2.22019-07-03
CVE-2019-12841 [HIGH] CWE-20 CVE-2019-12841: Incorrect handling of user input in ZIP extraction was detected in JetBrains TeamCity. The issue was Incorrect handling of user input in ZIP extraction was detected in JetBrains TeamCity. The issue was fixed in TeamCity 2018.2.2.
nvd
CVE-2022-36321P4MEDIUMCVSS 6.5fixed in 2022.04.2≥ 2022.04.2, < 2022.04.22022-07-20
CVE-2022-36321 [MEDIUM] CWE-532 CVE-2022-36321: In JetBrains TeamCity before 2022.04.2 the private SSH key could be written to the build log in some In JetBrains TeamCity before 2022.04.2 the private SSH key could be written to the build log in some cases
nvd
CVE-2024-31134P4MEDIUMCVSS 6.5fixed in 2024.032024-03-28
CVE-2024-31134 [MEDIUM] CWE-863 CVE-2024-31134: In JetBrains TeamCity before 2024.03 authenticated users without administrative permissions could re In JetBrains TeamCity before 2024.03 authenticated users without administrative permissions could register other users when self-registration was disabled
nvd
CVE-2023-38064P4MEDIUMCVSS 6.5fixed in 2023.05.12023-07-12
CVE-2023-38064 [MEDIUM] CWE-532 CVE-2023-38064: In JetBrains TeamCity before 2023.05.1 build chain parameters of the "password" type could be writte In JetBrains TeamCity before 2023.05.1 build chain parameters of the "password" type could be written to the agent log
nvd
CVE-2023-38067P4MEDIUMCVSS 6.5fixed in 2023.05.12023-07-12
CVE-2023-38067 [MEDIUM] CWE-532 CVE-2023-38067: In JetBrains TeamCity before 2023.05.1 build parameters of the "password" type could be written to t In JetBrains TeamCity before 2023.05.1 build parameters of the "password" type could be written to the agent log
nvd
CVE-2024-41824P4MEDIUMCVSS 6.5fixed in 2024.072024-07-22
CVE-2024-41824 [MEDIUM] CWE-532 CVE-2024-41824: In JetBrains TeamCity before 2024.07 parameters of the "password" type could leak into the build log In JetBrains TeamCity before 2024.07 parameters of the "password" type could leak into the build log in some specific cases
nvd
CVE-2025-52876P4MEDIUMCVSS 5.4fixed in 2025.03.32025-06-23
CVE-2025-52876 [MEDIUM] CWE-79 CVE-2025-52876: In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible
nvd
CVE-2025-68165P4MEDIUMCVSS 6.1fixed in 2025.112025-12-16
CVE-2025-68165 [MEDIUM] CWE-79 CVE-2025-68165: In JetBrains TeamCity before 2025.11 reflected XSS was possible on VCS Root setup In JetBrains TeamCity before 2025.11 reflected XSS was possible on VCS Root setup
nvd
CVE-2022-24337P4MEDIUMCVSS 6.5fixed in 2021.22022-02-25
CVE-2022-24337 [MEDIUM] CWE-276 CVE-2022-24337: In JetBrains TeamCity before 2021.2, health items of pull requests were shown to users who lacked ap In JetBrains TeamCity before 2021.2, health items of pull requests were shown to users who lacked appropriate permissions.
nvd
CVE-2022-24333P4MEDIUMCVSS 6.5fixed in 2021.22022-02-25
CVE-2022-24333 [MEDIUM] CWE-918 CVE-2022-24333: In JetBrains TeamCity before 2021.2, blind SSRF via an XML-RPC call was possible. In JetBrains TeamCity before 2021.2, blind SSRF via an XML-RPC call was possible.
nvd
CVE-2020-15828P4MEDIUMCVSS 6.5fixed in 2020.1.12020-08-08
CVE-2020-15828 [MEDIUM] CVE-2020-15828: In JetBrains TeamCity before 2020.1.1, project parameter values can be retrieved by a user without a In JetBrains TeamCity before 2020.1.1, project parameter values can be retrieved by a user without appropriate permissions.
nvd
CVE-2025-57732P4MEDIUMCVSS 6.3fixed in 2025.07.12025-08-20
CVE-2025-57732 [MEDIUM] CWE-282 CVE-2025-57732: In JetBrains TeamCity before 2025.07.1 privilege escalation was possible due to incorrect directory In JetBrains TeamCity before 2025.07.1 privilege escalation was possible due to incorrect directory ownership
nvd
CVE-2020-11688P4HIGHCVSS 7.5fixed in 2019.2.12020-04-22
CVE-2020-11688 [HIGH] CWE-613 CVE-2020-11688: In JetBrains TeamCity before 2019.2.1, the application state is kept alive after a user ends his ses In JetBrains TeamCity before 2019.2.1, the application state is kept alive after a user ends his session.
nvd
CVE-2022-24336P4MEDIUMCVSS 5.3fixed in 2021.2.12022-02-25
CVE-2022-24336 [MEDIUM] CVE-2022-24336: In JetBrains TeamCity before 2021.2.1, an unauthenticated attacker can cancel running builds via an In JetBrains TeamCity before 2021.2.1, an unauthenticated attacker can cancel running builds via an XML-RPC request to the TeamCity server.
nvd
CVE-2020-11689P4MEDIUMCVSS 6.5fixed in 2019.2.12020-04-22
CVE-2020-11689 [MEDIUM] CWE-276 CVE-2020-11689: In JetBrains TeamCity before 2019.2.1, a user without appropriate permissions was able to import set In JetBrains TeamCity before 2019.2.1, a user without appropriate permissions was able to import settings from the settings.kts file.
nvd
CVE-2025-47851P4MEDIUMCVSS 5.4fixed in 2025.03.22025-05-20
CVE-2025-47851 [MEDIUM] CWE-79 CVE-2025-47851: In JetBrains TeamCity before 2025.03.2 stored XSS via GitHub Checks Webhook was possible In JetBrains TeamCity before 2025.03.2 stored XSS via GitHub Checks Webhook was possible
nvd
CVE-2025-54538P4MEDIUMCVSS 5.5fixed in 2025.072025-07-28
CVE-2025-54538 [MEDIUM] CWE-312 CVE-2025-54538: In JetBrains TeamCity before 2025.07 password exposure was possible via command line in the "hg pull In JetBrains TeamCity before 2025.07 password exposure was possible via command line in the "hg pull" command
nvd
CVE-2024-24938P4MEDIUMCVSS 5.3fixed in 2023.11.22024-02-06
CVE-2024-24938 [MEDIUM] CWE-23 CVE-2024-24938: In JetBrains TeamCity before 2023.11.2 limited directory traversal was possible in the Kotlin DSL do In JetBrains TeamCity before 2023.11.2 limited directory traversal was possible in the Kotlin DSL documentation
nvd
CVE-2025-67740P4MEDIUMCVSS 5.3fixed in 2025.112025-12-11
CVE-2025-67740 [MEDIUM] CWE-863 CVE-2025-67740: In JetBrains TeamCity before 2025.11 improper access control could expose GitHub App token's metadat In JetBrains TeamCity before 2025.11 improper access control could expose GitHub App token's metadata
nvd
Jetbrains Teamcity vulnerabilities | cvebase