This vulnerability (CVE-2026-49375) affects JetBrains TeamCity prior to version 2026.1 and involves a reflected XSS (CWE-79) on the repository download page. Reflected XSS vulnerabilities allow attackers to inject malicious scripts that are reflected off the web server and executed by victims, potentially leading to information disclosure or session hijacking. The CVSS 3.1 vector indicates the attack can be performed remotely over the network without privileges, requires user interaction, and impacts confidentiality and integrity with no impact on availability.

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the victim's browser session when visiting the affected repository download page. This could lead to partial confidentiality and integrity impacts such as theft of sensitive information or manipulation of data within the user's session. There is no indication of availability impact. No known exploits are reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or temporary mitigation has been published, users should monitor JetBrains advisories for updates. Until a fix is available, cautious handling of URLs and limiting exposure to untrusted input on the repository download page is recommended.