Jetbrains CVEs & Vulnerabilities

35 CVEs affecting Jetbrains products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

teamcity 15youtrack 13intellij idea 9kotlin 1pycharm 1
CVE-2026-57926CRITICAL

In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack

26 Jun 2026
9.8
CVSS
CVE-2026-57925MEDIUM

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags

26 Jun 2026
5.3
CVSS
CVE-2026-57924MEDIUM

In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details

26 Jun 2026
5.3
CVSS
CVE-2026-57923HIGH

In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings

26 Jun 2026
7.5
CVSS
CVE-2026-57922MEDIUM

In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible

26 Jun 2026
5.3
CVSS
CVE-2026-57921HIGH

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint

26 Jun 2026
7.5
CVSS
CVE-2026-53914CRITICAL

In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata

26 Jun 2026
9.8
CVSS
CVE-2026-49386MEDIUM

In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas

29 May 2026
6.5
CVSS
CVE-2026-49385MEDIUM

In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts

29 May 2026
6.5
CVSS
CVE-2026-49384MEDIUM

In JetBrains PyCharm before 2025.3.4 stored XSS in Jupyter notebook Markdown cells was possible

29 May 2026
6.1
CVSS
CVE-2026-49383LOW

In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible

29 May 2026
3.3
CVSS
CVE-2026-49382HIGH

In JetBrains IntelliJ IDEA before 2026.1 code execution was possible via template injection in the Copyright plugin

29 May 2026
7.8
CVSS
CVE-2026-49381MEDIUM

In JetBrains TeamCity before 2026.1 stored XSS on the SAML login page was possible

29 May 2026
4.8
CVSS
CVE-2026-49380MEDIUM

In JetBrains TeamCity before 2026.1 open redirect in the SAML plugin was possible

29 May 2026
6.1
CVSS
CVE-2026-49379MEDIUM

In JetBrains TeamCity before 2026.1 credentials could be exposed in thread names

29 May 2026
6.5
CVSS
CVE-2026-49378MEDIUM

In JetBrains TeamCity before 2026.1 credentials parameters were exposed via parameter autocompletion

29 May 2026
4.3
CVSS
CVE-2026-49377MEDIUM

In JetBrains TeamCity before 2025.11.2 exposure of sensitive data via default agent parameters

29 May 2026
4.3
CVSS
CVE-2026-49376MEDIUM

In JetBrains TeamCity before 2026.1 insufficient username validation in the SAML plugin

29 May 2026
6.5
CVSS
CVE-2026-49375MEDIUM

In JetBrains TeamCity before 2026.1, 2025.11.5 reflected XSS was possible on the repository download page

29 May 2026
6.1
CVSS
CVE-2026-49374HIGH

In JetBrains TeamCity before 2026.1 improper permission checks exposed build configuration parameters

29 May 2026
7.6
CVSS
CVE-2026-49373HIGH

In JetBrains TeamCity before 2026.1 remote code execution was possible via Perforce connection settings

29 May 2026
8.8
CVSS
CVE-2026-49372HIGH

In JetBrains TeamCity before 2026.1, 2025.11.5 unauthenticated SSRF via build status was possible

29 May 2026
7.5
CVSS
CVE-2026-49371HIGH

In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible

29 May 2026
8.2
CVSS
CVE-2026-49370HIGH

In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests

29 May 2026
7.5
CVSS
CVE-2026-49369MEDIUM

In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages

29 May 2026
4.3
CVSS
CVE-2026-49368MEDIUM

In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible

29 May 2026
5.4
CVSS
CVE-2026-49367HIGH

In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account

29 May 2026
8.8
CVSS
CVE-2026-49366HIGH

In JetBrains IntelliJ IDEA before 2026.1.1 command injection was possible via filename completion

29 May 2026
7.8
CVSS
CVE-2026-44413HIGH

In JetBrains TeamCity before 2026.1 2025.11.5 authenticated users could expose server API to unauthorised access

11 May 2026
7.5
CVSS
CVE-2026-41882HIGH

In JetBrains IntelliJ IDEA before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, 2026.1.1 reading arbitrary local files was possible via built-in web server

30 Apr 2026
7.5
CVSS
CVE-2026-33392HIGH

In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass

17 Apr 2026
7.2
CVSS
CVE-2026-28196LOW

In JetBrains TeamCity before 2025.11.3 disabling versioned settings left a credentials config on disk

25 Feb 2026
2.3
CVSS
CVE-2026-28195MEDIUM

In JetBrains TeamCity before 2025.11.3 missing authorization allowed project developers to add parameters to build configurations

25 Feb 2026
4.3
CVSS
CVE-2026-28194MEDIUM

In JetBrains TeamCity before 2025.11.3 open redirect was possible in the React project creation flow

25 Feb 2026
6.1
CVSS
CVE-2026-28193MEDIUM

In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint

25 Feb 2026
5.3
CVSS
← PrevPage 1 / 1Next →