In JetBrains TeamCity before 2024.07 stored XSS was possible on the Code Inspection tab
In JetBrains TeamCity before 2026.1,
2025.11.5 reflected XSS was possible on the repository download page
In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible
In JetBrains TeamCity before 2025.07.2 path traversal was possible during project archive upload
In JetBrains TeamCity before 2026.1 stored XSS on the SAML login page was possible
In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration
In JetBrains TeamCity before 2025.11 port enumeration was possible via the Perforce connection test
In JetBrains TeamCity before 2025.07 path traversal was possible via plugin unpacking on Windows
In JetBrains TeamCity before 2025.07 reflected XSS was possible on the agentpushPreset page
In JetBrains TeamCity before 2024.07.1 reflected XSS was possible on the agentPushPreset page
In JetBrains Toolbox App before 2.6 unencrypted credential transmission during SSH authentication was possible
In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible
In JetBrains TeamCity before 2025.07.2 project isolation bypass was possible due to race condition
In JetBrains TeamCity before 2024.07.3 path traversal allowed backup file write to arbitrary location
In JetBrains TeamCity before 2026.1 insufficient username validation in the SAML plugin
In JetBrains IDE Services before 2025.5.0.1086,
2025.4.2.2164 users without appropriate permissions could assign high-privileged role for themselves
In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services
In JetBrains TeamCity before 2025.03.2 open redirect was possible on editing VCS Root page
In JetBrains TeamCity before 2025.11.3 open redirect was possible in the React project creation flow
In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication