MEDIUM 6.1

CVE-2026-49384: Stored XSS in JetBrains PyCharm Jupyter Notebooks

JetBrains PyCharm versions prior to 2025.3.4 contain a stored cross-site scripting (XSS) vulnerability in Jupyter notebook Markdown cells. An attacker can inject malicious scripts into Markdown content within a notebook, which are then executed in the browser context of users who view the notebook. This allows for session hijacking, credential theft, or malware distribution without requiring the victim to take any action beyond opening an affected notebook.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

In JetBrains PyCharm before 2025.3.4 stored XSS in Jupyter notebook Markdown cells was possible

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-49384 is a stored XSS vulnerability (CWE-79) affecting JetBrains PyCharm's Jupyter notebook integration. The flaw exists in how PyCharm renders and displays Markdown cells within notebooks. Untrusted input in Markdown cells is not properly sanitized before being rendered to the DOM, allowing persistent injection of arbitrary HTML and JavaScript. The vulnerability requires no authentication and can be triggered simply by opening a crafted notebook file, making the attack surface broad for teams collaborating on notebooks. The CVSS 3.1 vector (6.1 MEDIUM, AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) reflects network accessibility, low attack complexity, no privilege requirement, and user interaction as the limiting factor.

Business impact

For data science and ML teams using PyCharm with Jupyter notebooks, this vulnerability poses a real insider and supply-chain risk. Compromised notebooks shared across teams can silently exfiltrate credentials, steal API keys from the IDE environment, or inject malicious code into collaborative workflows. Organizations relying on notebook-driven development and research are particularly at risk if they share notebooks internally or via version control systems. The persistence of the payload within the notebook file itself means the threat endures until the notebook is remediated, creating a lingering attack surface.

Affected systems

JetBrains PyCharm versions before 2025.3.4 are affected. Users running version 2025.3.4 and later are not vulnerable. This includes PyCharm Community Edition and Professional Edition across all supported platforms (Windows, macOS, Linux). The vulnerability specifically affects the Jupyter notebook integration feature; standalone PyCharm editing and other IDEs in the JetBrains suite are not impacted.

Exploitability

Exploitability is moderate to high in collaborative environments. An attacker does not require authentication or special privileges to craft a malicious notebook. The primary barrier to exploitation is user interaction—the victim must open the notebook in an affected version of PyCharm. However, in team settings where notebooks are routinely shared via Git repositories, email, or shared storage, the likelihood of a user opening an adversary-controlled notebook is realistic. No known public exploits are currently tracked in CISA's Known Exploited Vulnerabilities catalog, but the simplicity of the attack (injecting HTML/JavaScript into Markdown) makes proof-of-concept development straightforward.

Remediation

The definitive fix is to upgrade JetBrains PyCharm to version 2025.3.4 or later. Verify the installed version in PyCharm via Help > About or check the JetBrains IDE download page for the latest release. Organizations should evaluate and deploy the patch to all developer workstations using PyCharm. Until patched, consider restricting the opening of untrusted or externally sourced notebooks, and educate developers on the risks of opening notebooks from unknown origins.

Patch guidance

Download and install PyCharm version 2025.3.4 or later from the official JetBrains website or your configured IDE auto-update mechanism. For enterprise deployments, verify compatibility with your toolchain and test in a non-production environment before rolling out to all users. If you maintain internally hosted PyCharm installations or plugin repositories, ensure the patched version is available and notify users of the update requirement. No manual configuration or workarounds are needed beyond upgrading; the fix is included in the release itself.

Detection guidance

Monitor for user activity opening or importing suspicious Jupyter notebooks, especially from external sources. IDE logs and audit trails may record notebook file access; correlate these with known threat indicators or behavioral anomalies. Use endpoint detection and response (EDR) tools to identify unexpected process spawning or network connections originating from the PyCharm process, which could indicate JavaScript execution within a compromised notebook. Source code management logs should be reviewed for recently added or modified notebooks with embedded HTML/script tags in Markdown cells. If running vulnerable versions, perform a retroactive audit of notebooks stored in repositories or shared locations.

Why prioritize this

Although the CVSS score is MEDIUM (6.1), organizations should prioritize this patch for teams actively using Jupyter notebooks in PyCharm. The stored nature of the vulnerability, combined with the ease of exploitation and collaborative workflows, elevates practical risk above the base score. Developers and data scientists are high-value targets; compromising their machines can yield significant lateral movement opportunities and access to sensitive data. The lack of KEV status does not diminish the need for timely patching in environments where notebook sharing is routine.

Risk score, explained

CVSS 3.1 assigns a score of 6.1 (MEDIUM) based on: network-accessible attack vector (AV:N), low attack complexity requiring no special conditions (AC:L), no privilege requirement (PR:N), and requirement for user interaction to open the notebook (UI:R). The scope change (S:C) reflects potential impact beyond the IDE process itself if JavaScript accesses cross-origin resources. Confidentiality and integrity are rated as low impact (C:L/I:L) because the attacker's capabilities depend on the victim's IDE environment and browser context; availability is unaffected (A:N). The score accurately reflects a real but not critical risk in typical deployments.

Frequently asked questions

Can this vulnerability be exploited remotely without user action?

No. While the vulnerability is network-accessible, it requires a user to explicitly open a malicious notebook file in PyCharm. There is no automatic or passive exploitation vector; the user must interact with the IDE to trigger the payload.

Are notebooks created in older versions of PyCharm automatically dangerous?

Not inherently. A notebook is dangerous only if it contains injected malicious Markdown. Older notebook files created legitimately are safe. However, if a notebook has been modified by an attacker or opened in an environment where an XSS payload was injected, it becomes a persistent threat until remediated or re-validated.

Does this affect Jupyter notebooks opened in web browsers or other tools?

This CVE is specific to JetBrains PyCharm's rendering of Jupyter notebooks. Other tools like JupyterLab, VS Code, or browser-based Jupyter instances may have different rendering pipelines and may not be vulnerable to this particular flaw. However, malicious Markdown in a notebook file could potentially affect other tools depending on their sanitization practices.

What should we do if we find a suspicious notebook in our repository?

Isolate the notebook, quarantine it from production systems, and audit the repository history to determine when it was added and by whom. Review any outputs or data that may have been accessed after the notebook was committed. If users have opened it, treat their machines as potentially compromised and conduct forensic analysis. After patching PyCharm, the notebook can be safely re-examined or removed entirely depending on your investigation findings.

This analysis is based on publicly available information about CVE-2026-49384 as of the publication date. Security conditions, patch availability, and threat landscape evolve; refer to the official JetBrains security advisories and your organization's threat intelligence sources for the most current information. No liability is assumed for decisions made based on this content. Always verify patch versions and compatibility within your environment before deployment. Exploit code or weaponized proof-of-concepts are not provided; this document is intended for defensive security planning only. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).