JetBrains JetBrains Creators of IntelliJ IDEA, ReSharper, PyCharm, TeamCity, Kotlin

  1. Vendors
  2. JetBrains

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any JetBrains product.

RSS Feeds for JetBrains security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in JetBrains products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by JetBrains Sorted by Most Security Vulnerabilities since 2018

JetBrains Teamcity252 vulnerabilities

JetBrains Youtrack106 vulnerabilities

JetBrains Intellij Idea58 vulnerabilities

JetBrains Hub33 vulnerabilities

JetBrains Ktor21 vulnerabilities

JetBrains Toolbox10 vulnerabilities

JetBrains Pycharm7 vulnerabilities

JetBrains Rider7 vulnerabilities

JetBrains Webstorm5 vulnerabilities

JetBrains Goland4 vulnerabilities

JetBrains Rubymine4 vulnerabilities

JetBrains Phpstorm4 vulnerabilities

JetBrains Resharper2 vulnerabilities

JetBrains Clion2 vulnerabilities

JetBrains Mps2 vulnerabilities

JetBrains Junie1 vulnerability

JetBrains Rustrover1 vulnerability

JetBrains Dataspell1 vulnerability

JetBrains Datagrip1 vulnerability

JetBrains Aqua1 vulnerability

Known Exploited JetBrains Vulnerabilities

The following JetBrains vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
JetBrains TeamCity Authentication Bypass Vulnerability JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.
CVE-2024-27198 Exploit Probability: 94.6% 		March 7, 2024
JetBrains TeamCity Authentication Bypass Vulnerability JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.
CVE-2023-42793 Exploit Probability: 92.9% 		October 4, 2023

Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 6 vulnerabilities in JetBrains with an average score of 7.6 out of ten. Last year, in 2025 JetBrains had 84 security vulnerabilities published. Right now, JetBrains is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.54.




Year Vulnerabilities Average Score
2026 6 7.62
2025 84 6.07
2024 103 6.20
2023 54 6.54
2022 75 6.48
2021 88 6.66
2020 57 6.38
2019 57 8.28
2018 2 0.00

It may take a day or so for new JetBrains vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent JetBrains Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-32745 Mar 13, 2026
JetBrains Datalore <=2026.0 Session Hijacking via Cookie Secure Attribute In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings
CVE-2026-32229 Mar 11, 2026
Account Mismatch on SignIn in JetBrains Hub <2026.1 (CVE-2026-32229) In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled
Hub
CVE-2026-28193 Feb 25, 2026
JetBrains YouTrack < 2025.3.121962 AuthBreach via perms endpoint In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint
Youtrack
CVE-2026-25848 Feb 09, 2026
JetBrains Hub auth bypass pre-2025.3.119807 permits admin actions In JetBrains Hub before 2025.3.119807 authentication bypass allowing administrative actions was possible
Hub
CVE-2026-25847 Feb 09, 2026
PyCharm 2025.3.1 DOM XSS in Jupyter Viewer In JetBrains PyCharm before 2025.3.2 a DOM-based XSS on Jupyter viewer page was possible
Pycharm
CVE-2026-25846 Feb 09, 2026
JetBrains YouTrack <2025.3.119033 access tokens exposed in mailbox logs In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs
Youtrack
CVE-2025-68269 Dec 16, 2025
JetBrains IntelliJ IDEA <2025.3: SSH Remote Project Confirmation Bypass In JetBrains IntelliJ IDEA before 2025.3 missing confirmation allowed opening of untrusted remote projects over SSH
Intellij Idea
CVE-2025-68268 Dec 16, 2025
TeamCity Reflected XSS (Storage Settings) before 2025.11.1 In JetBrains TeamCity before 2025.11.1 reflected XSS was possible on the storage settings page
Teamcity
CVE-2025-68267 Dec 16, 2025
JetBrains TeamCity < 2025.11.1: GitHub PA Token Stored Privilege Escalation In JetBrains TeamCity before 2025.11.1 excessive privileges were possible due to storing GitHub personal access token instead of an installation token
Teamcity
CVE-2025-68166 Dec 16, 2025
JetBrains TeamCity <=2025.10 DOM XSS on OAuth Connections Tab In JetBrains TeamCity before 2025.11 a DOM-based XSS was possible on the OAuth connections tab
Teamcity
CVE-2025-68165 Dec 16, 2025
JetBrains TeamCity pre-2025.11: VCS Root setup Reflected XSS In JetBrains TeamCity before 2025.11 reflected XSS was possible on VCS Root setup
Teamcity
CVE-2025-68164 Dec 16, 2025
JetBrains TeamCity Port Enumeration via Perforce Conn Test (pre-2025.11) In JetBrains TeamCity before 2025.11 port enumeration was possible via the Perforce connection test
Teamcity
CVE-2025-68163 Dec 16, 2025
TeamCity <2025.11: stored XSS on agentpushInstall page In JetBrains TeamCity before 2025.11 stored XSS was possible on agentpushInstall page
Teamcity
CVE-2025-68162 Dec 16, 2025
TeamCity <2025.11: Maven Embedder allows Unrestricted Extension Loading In JetBrains TeamCity before 2025.11 maven embedder allowed loading extensions via project configuration
Teamcity
CVE-2025-67742 Dec 11, 2025
TeamCity < 2025.11 Path Traversal via File Upload (CVE-2025-67742) In JetBrains TeamCity before 2025.11 path traversal was possible via file upload
Teamcity
CVE-2025-67741 Dec 11, 2025
JetBrains TeamCity 2025.10 Stored XSS via session attribute In JetBrains TeamCity before 2025.11 stored XSS was possible via session attribute
Teamcity
CVE-2025-67740 Dec 11, 2025
JetBrains TeamCity <2025.11: Improper Access Control Exposes GH Token Metadata In JetBrains TeamCity before 2025.11 improper access control could expose GitHub App token's metadata
Teamcity
CVE-2025-67739 Dec 11, 2025
JetBrains TeamCity <2025.11.2 Rp URL Validation flaw => Local Path Disclosure In JetBrains TeamCity before 2025.11.2 improper repository URL validation could lead to local paths disclosure
Teamcity
CVE-2025-64773 Nov 11, 2025
YouTrack <2025.3.104432 Race Condition Bypass Helpdesk Agent Limit In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit
Youtrack
CVE-2025-64457 Nov 10, 2025
dotTrace before 2025.2.5 Local Priv Esc via Race Condition In JetBrains ReSharper, Rider and dotTrace before 2025.2.5 local privilege escalation was possible via race condition
Rider
CVE-2025-64456 Nov 10, 2025
ReSharper DPA Collector LPE before 2025.2.4 In JetBrains ReSharper before 2025.2.4 missing signature verification in DPA Collector allows local privilege escalation
Resharper
CVE-2025-64690 Nov 10, 2025
JetBrains YouTrack <2025.3.104432 insecure Junie config: data exfil + auth chg
Youtrack
CVE-2025-64689 Nov 10, 2025
YouTrack <=2025.3.104432 Junie Token Leak via Misconfig
Youtrack
CVE-2025-64688 Nov 10, 2025
JetBrains YouTrack <2025.3.104432 URL Validation Flaw: Unauthorized Repo Access
Youtrack
CVE-2025-64687 Nov 10, 2025
JetBrains YouTrack <2025.3.104432 Improper Access Control in MCP Logic
Youtrack
CVE-2025-64686 Nov 10, 2025
YouTrack<2025.3.104432: Auth Context Reuse via Missing Principal Cleanup
Youtrack
CVE-2025-64685 Nov 10, 2025
YouTrack TLS Cert Validation Bypass CVE-2025-64685 (pre 2025.3.104432) In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure
Youtrack
CVE-2025-64683 Nov 10, 2025
JetBrains Hub <2025.3.104432: Users API Info Disclosure In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API
Hub
CVE-2025-64684 Nov 10, 2025
CVE-2025-64684: YouTrack < 2025.3.104432 Info Disclosure via Feedback Form In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form
Youtrack
CVE-2025-64682 Nov 10, 2025
JetBrains Hub Before 2025.3.104432: Race Condition Allows Agent-User Limit Bypass In JetBrains Hub before 2025.3.104432 a race condition allowed bypass of the Agent-user limit
Hub
CVE-2025-64681 Nov 10, 2025
JetBrains Hub <2025.3.104992: Race Cond Bypass Invite User Limit In JetBrains Hub before 2025.3.104992 a race condition allowed bypass of the user limit via invitations
Hub
CVE-2025-59458 Sep 17, 2025
Code Exec via Cmd Validation in JetBrains Junie <252.284.66 In JetBrains Junie before 252.284.66, 251.284.66, 243.284.66, 252.284.61, 251.284.61, 243.284.61, 252.284.50, 252.284.54, 251.284.54, 251.284.50, 243.284.54, 243.284.50 code execution was possible due to improper command validation
Junie
CVE-2025-59457 Sep 17, 2025
TeamCity < 2025.07.2 Git URL Validation Flaw Causing Credential Leak on Windows In JetBrains TeamCity before 2025.07.2 missing Git URL validation allowed credential leakage on Windows
Teamcity
CVE-2025-59456 Sep 17, 2025
JetBrains TeamCity <2025.07.2 PT on Project Archive Upload In JetBrains TeamCity before 2025.07.2 path traversal was possible during project archive upload
Teamcity
CVE-2025-59455 Sep 17, 2025
JetBrains TeamCity Project Isolation Bypass (Race Cond.) In JetBrains TeamCity before 2025.07.2 project isolation bypass was possible due to race condition
Teamcity
CVE-2025-57733 Aug 20, 2025
TeamCity <2025.07.1 – SMTP Injection via email component In JetBrains TeamCity before 2025.07.1 sMTP injection was possible allowing modification of email content
Teamcity
CVE-2025-57732 Aug 20, 2025
JetBrains TeamCity <2025.07.1> Privilege Escalation via Wrong Dir Ownership In JetBrains TeamCity before 2025.07.1 privilege escalation was possible due to incorrect directory ownership
Teamcity
CVE-2025-57731 Aug 20, 2025
YouTrack XSS via Mermaid diagram pre-2025.2.92387 In JetBrains YouTrack before 2025.2.92387 stored XSS was possible via Mermaid diagram content
Youtrack
CVE-2025-57730 Aug 20, 2025
CVE-2025-57730: HTML Injection via Remote Dev in IntelliJ IDEA < 2025.2 In JetBrains IntelliJ IDEA before 2025.2 hTML injection was possible via Remote Development feature
Intellij Idea
CVE-2025-57729 Aug 20, 2025
JetBrains IntelliJ IDEA <=2025.1 LSP Auto-Start Enables Unexpected Plugin Launch In JetBrains IntelliJ IDEA before 2025.2 unexpected plugin startup was possible due to automatic LSP server start
Intellij Idea
CVE-2025-57728 Aug 20, 2025
IntelliJ IDEA <2025.2: Code With Me Guest Hidden File Disclosure In JetBrains IntelliJ IDEA before 2025.2 improper access control allowed Code With Me guest to discover hidden files
Intellij Idea
CVE-2025-57727 Aug 20, 2025
JetBrains IntelliJ IDEA pre-2025.2: Remote Credentials Disclosure In JetBrains IntelliJ IDEA before 2025.2 credentials disclosure was possible via remote reference
Intellij Idea
CVE-2025-57734 Aug 20, 2025
TeamCity <2025.07.1: AWS Creds Leak in Docker Scripts In JetBrains TeamCity before 2025.07.1 aWS credentials were exposed in Docker script files
Teamcity
CVE-2025-54529 Jul 28, 2025
JetBrains TeamCity < 2025.07 CSRF via External OAuth In JetBrains TeamCity before 2025.07 a CSRF was possible in external OAuth login integration
Teamcity
CVE-2025-54531 Jul 28, 2025
TeamCity 2025.07 Path Traversal via Plugin Unpacking on Windows In JetBrains TeamCity before 2025.07 path traversal was possible via plugin unpacking on Windows
Teamcity
CVE-2025-54534 Jul 28, 2025
TeamCity <=2025.07 Reflected XSS on agentpushPreset In JetBrains TeamCity before 2025.07 reflected XSS was possible on the agentpushPreset page
Teamcity
CVE-2025-54533 Jul 28, 2025
TeamCity before 2025.07: Improper Access Control Exposes VCS Build Settings In JetBrains TeamCity before 2025.07 improper access control allowed disclosure of build settings via VCS configuration
Teamcity
CVE-2025-54532 Jul 28, 2025
TeamCity <=2025.07 Improper Access Control - Disclosure of Build Settings In JetBrains TeamCity before 2025.07 improper access control allowed disclosure of build settings via snapshot dependencies
Teamcity
CVE-2025-54536 Jul 28, 2025
JetBrains TeamCity <2025.07 CSRF on GraphQL Endpoint In JetBrains TeamCity before 2025.07 a CSRF was possible on GraphQL endpoint
Teamcity
CVE-2025-54535 Jul 28, 2025
JetBrains TeamCity <2025.07 Weak Hashing of Reset/Verify Tokens In JetBrains TeamCity before 2025.07 password reset and email verification tokens were using weak hashing algorithms
Teamcity
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.