By vendor

Jetbrains vulnerabilities

Known CVEs affecting Jetbrains products, prioritized by severity, with SEC.co remediation and detection guidance.

21 published vulnerabilities

  • CVE-2026-49368HIGH 8.7

    JetBrains YouTrack versions before 2026.1.13162 contain a stored cross-site scripting (XSS) vulnerability in project notification templates. An authenticated attacker can inject malicious scripts into notification templates that will execute in the browsers of other users who view those notifications. This is a stored XSS rather than a reflected attack, meaning the payload persists and affects multiple users over time, increasing its impact potential.

  • CVE-2026-49367HIGH 8.0

    JetBrains IntelliJ IDEA contains a command execution vulnerability affecting versions before 2026.1.1. An authenticated user with guest-level privileges can execute arbitrary commands on the system where IntelliJ IDEA is running. The vulnerability requires user interaction but grants an attacker with low-privilege access the ability to perform high-impact actions, including reading sensitive files, modifying project code, or disrupting development environments.

  • CVE-2026-49366HIGH 7.8

    JetBrains IntelliJ IDEA contains a command injection vulnerability in its filename completion feature that could allow an attacker to execute arbitrary commands on a developer's machine. The vulnerability requires local access and user interaction—specifically, a user must interact with the filename completion mechanism—but once triggered, it grants full system access with the privileges of the user running the IDE. This affects versions before 2026.1.1.

  • CVE-2026-49374HIGH 7.6

    JetBrains TeamCity versions prior to 2026.1 suffer from insufficient permission checks that allow authenticated users to access sensitive build configuration parameters they should not be able to view. An attacker with valid login credentials but limited project access could extract confidential build settings, secrets, or other sensitive configuration data by exploiting this authorization flaw.

  • CVE-2026-49372HIGH 7.5

    JetBrains TeamCity versions prior to 2026.1 and 2025.11.5 contain a server-side request forgery (SSRF) vulnerability accessible without authentication. An attacker can abuse the build status feature to make the TeamCity server perform unintended HTTP requests to internal or external systems, potentially exposing sensitive data or accessing restricted resources. The vulnerability requires no user interaction and can be exploited over the network.

  • CVE-2026-49371HIGH 7.1

    JetBrains TeamCity versions prior to 2026.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the keyword filter feature. An attacker can craft a malicious URL containing unsanitized input that, when visited by a TeamCity user, executes arbitrary JavaScript in the victim's browser within the context of the TeamCity application. This allows session hijacking, credential theft, or unauthorized actions performed on behalf of the victim.

  • CVE-2026-49373HIGH 7.1

    JetBrains TeamCity versions prior to 2026.1 contain a remote code execution vulnerability accessible through the Perforce connection configuration interface. An authenticated user with permissions to modify Perforce settings can execute arbitrary code on the TeamCity server. This requires valid credentials and access to TeamCity's configuration features, but does not require user interaction or special system conditions once access is gained.

  • CVE-2026-49376MEDIUM 6.5

    JetBrains TeamCity versions prior to 2026.1 contain a vulnerability in the SAML authentication plugin where usernames are not properly validated. This weakness allows an attacker to bypass normal username restrictions and potentially gain unauthorized access or manipulate user identity claims during the authentication process. The vulnerability requires network access but no special credentials or user interaction to exploit.

  • CVE-2026-49379MEDIUM 6.5

    JetBrains TeamCity versions prior to 2026.1 contain a credential exposure vulnerability where sensitive authentication information could leak through thread names. An authenticated attacker with access to the TeamCity server could potentially extract credentials from system logs or monitoring output that display thread identities. This is a server-side information disclosure issue that does not require user interaction and affects the confidentiality of stored credentials.

  • CVE-2026-49385MEDIUM 6.5

    JetBrains YouTrack contains an access control flaw that allows standard users to modify service accounts—privileged system identities that handle automated tasks and integrations. This is a privilege escalation risk because service accounts typically have elevated permissions, and unauthorized modification could allow an attacker to hijack critical workflows or lateral-move within the organization. The vulnerability affects YouTrack versions prior to 2026.1.13570.

  • CVE-2026-49386MEDIUM 6.5

    JetBrains YouTrack versions prior to 2026.1.13570 contain an access control flaw that allows authenticated users to discover restricted issues and articles on the Planning Canvas feature. While attackers cannot modify or delete content, they can enumerate sensitive information that should be hidden from their permission level. This is a credential-based attack—an attacker must have valid YouTrack login credentials to exploit it, but once authenticated, the vulnerability requires no special interaction or additional privileges.

  • CVE-2026-49375MEDIUM 6.1

    JetBrains TeamCity versions before 2026.1 and 2025.11.5 contain a reflected cross-site scripting (XSS) vulnerability on the repository download page. An attacker can craft a malicious URL and trick a user into clicking it, allowing the attacker to steal session cookies, perform actions on behalf of the user, or redirect them to phishing sites. The vulnerability requires user interaction and does not directly compromise the server itself.

  • CVE-2026-49384MEDIUM 6.1

    JetBrains PyCharm versions prior to 2025.3.4 contain a stored cross-site scripting (XSS) vulnerability in Jupyter notebook Markdown cells. An attacker can inject malicious scripts into Markdown content within a notebook, which are then executed in the browser context of users who view the notebook. This allows for session hijacking, credential theft, or malware distribution without requiring the victim to take any action beyond opening an affected notebook.

  • CVE-2026-49382MEDIUM 4.5

    A vulnerability in JetBrains IntelliJ IDEA's Copyright plugin allows an attacker to execute code on a developer's machine through template injection. The attack requires local access and user interaction—specifically, a developer must open a malicious project or file. While the severity is moderate, this poses a real risk in shared development environments or when developers download untrusted projects.

  • CVE-2026-49369MEDIUM 4.3

    JetBrains YouTrack versions before 2026.1.13162 contained a flaw that allowed authenticated users to access sensitive information about other users and groups they shouldn't be able to see. The vulnerability is limited to the Users and Groups administrative pages and requires valid login credentials to exploit. This is a straightforward authorization issue where the application failed to properly restrict who could view certain user and group data.

  • CVE-2026-49377MEDIUM 4.3

    JetBrains TeamCity contains a configuration flaw where default agent parameters inadvertently expose sensitive data to authenticated users. An attacker with valid login credentials can access information through TeamCity's agent configuration that should remain restricted. This is a network-accessible issue affecting TeamCity deployments before version 2025.11.2, though the vulnerability requires prior authentication to exploit.

  • CVE-2026-49378MEDIUM 4.3

    JetBrains TeamCity contained a vulnerability where stored credentials could be inadvertently exposed through the parameter autocompletion feature. When users typed in parameter fields, the system would suggest previously stored credential values, potentially revealing sensitive authentication data to anyone with access to the TeamCity interface. This issue affects TeamCity versions prior to 2026.1 and requires an authenticated user to interact with the affected feature. The exposure is limited to local disclosure within the TeamCity environment rather than remote exfiltration.

  • CVE-2026-49370LOW 3.4

    JetBrains YouTrack versions before 2026.1.13162 contain an information disclosure vulnerability affecting the fetchApp request handler. An authenticated user with high privileges can trigger unintended data exposure through a request that includes user interaction, though the scope of disclosed information is limited. This is a low-severity issue that requires administrative or privileged account access to exploit.

  • CVE-2026-49381LOW 3.4

    CVE-2026-49381 is a stored cross-site scripting (XSS) vulnerability in JetBrains TeamCity's SAML login page that existed prior to version 2026.1. An attacker with high privileges could inject malicious scripts into the login interface, which would then execute in the browsers of users who interact with that page. The vulnerability requires user interaction to trigger and has limited scope, affecting only the confidentiality of information visible to the victim during their session.

  • CVE-2026-49383LOW 3.3

    CVE-2026-49383 is a low-severity vulnerability in JetBrains IntelliJ IDEA's UI Designer form parser that could allow local attackers to read sensitive information from a user's system. The vulnerability requires user interaction—specifically opening a malicious or compromised form file in the IDE—and affects versions prior to 2026.1. The exposure is limited to information disclosure; the vulnerability does not enable code execution or system modification.

  • CVE-2026-49380LOW 3.1

    JetBrains TeamCity versions before 2026.1 contain an open redirect vulnerability in the SAML authentication plugin. An attacker could craft a malicious link that, when clicked by a user, redirects them to an attacker-controlled website after authentication. This requires user interaction and offers limited direct impact, but could be chained with phishing or credential harvesting tactics.