JetBrains Creators of IntelliJ IDEA, ReSharper, PyCharm, TeamCity, Kotlin
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any JetBrains product.
RSS Feeds for JetBrains security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in JetBrains products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by JetBrains Sorted by Most Security Vulnerabilities since 2018
Known Exploited JetBrains Vulnerabilities
The following JetBrains vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
Title | Description | Added |
---|---|---|
JetBrains TeamCity Authentication Bypass Vulnerability |
JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions. CVE-2024-27198 Exploit Probability: 94.6% |
March 7, 2024 |
JetBrains TeamCity Authentication Bypass Vulnerability |
JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server. CVE-2023-42793 Exploit Probability: 94.6% |
October 4, 2023 |
Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.
By the Year
In 2025 there have been 27 vulnerabilities in JetBrains with an average score of 6.6 out of ten. Last year, in 2024 JetBrains had 103 security vulnerabilities published. Right now, JetBrains is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.44.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 27 | 6.64 |
2024 | 103 | 6.20 |
2023 | 53 | 6.56 |
2022 | 73 | 6.45 |
2021 | 88 | 6.66 |
2020 | 57 | 6.52 |
2019 | 57 | 7.08 |
2018 | 1 | 7.80 |
It may take a day or so for new JetBrains vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent JetBrains Security Vulnerabilities
In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible
CVE-2025-52875
- June 23, 2025
In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible
XSS
In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible
CVE-2025-52876
- June 23, 2025
In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible
XSS
In JetBrains TeamCity before 2025.03.3 reflected XSS on diskUsageBuildsStats page was possible
CVE-2025-52877
- June 23, 2025
In JetBrains TeamCity before 2025.03.3 reflected XSS on diskUsageBuildsStats page was possible
XSS
In JetBrains TeamCity before 2025.03.3 usernames were exposed to the users without proper permissions
CVE-2025-52878
- June 23, 2025
In JetBrains TeamCity before 2025.03.3 usernames were exposed to the users without proper permissions
AuthZ
In JetBrains TeamCity before 2025.03.3 reflected XSS in the NPM Registry integration was possible
CVE-2025-52879
- June 23, 2025
In JetBrains TeamCity before 2025.03.3 reflected XSS in the NPM Registry integration was possible
XSS
In JetBrains TeamCity before 2025.03.2 stored XSS
CVE-2025-47851
5.4 - Medium
- May 20, 2025
In JetBrains TeamCity before 2025.03.2 stored XSS via GitHub Checks Webhook was possible
XSS
In JetBrains TeamCity before 2025.03.2 stored XSS
CVE-2025-47852
5.4 - Medium
- May 20, 2025
In JetBrains TeamCity before 2025.03.2 stored XSS via YouTrack integration was possible
XSS
In JetBrains TeamCity before 2025.03.2 stored XSS
CVE-2025-47853
5.4 - Medium
- May 20, 2025
In JetBrains TeamCity before 2025.03.2 stored XSS via Jira integration was possible
XSS
In JetBrains TeamCity before 2025.03.2 open redirect was possible on editing VCS Root page
CVE-2025-47854
6.1 - Medium
- May 20, 2025
In JetBrains TeamCity before 2025.03.2 open redirect was possible on editing VCS Root page
Open Redirect
In JetBrains TeamCity before 2025.03.1 base64-encoded credentials could be exposed in build logs
CVE-2025-46432
6.5 - Medium
- April 25, 2025
In JetBrains TeamCity before 2025.03.1 base64-encoded credentials could be exposed in build logs
Insertion of Sensitive Information into Log File
In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible
CVE-2025-46433
9.8 - Critical
- April 25, 2025
In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible
Directory traversal
In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab
CVE-2025-46618
6.1 - Medium
- April 25, 2025
In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab
XSS
In JetBrains RubyMine before 2025.1 remote Interpreter overwrote ports to listen on all interfaces
CVE-2025-43015
6.5 - Medium
- April 17, 2025
In JetBrains RubyMine before 2025.1 remote Interpreter overwrote ports to listen on all interfaces
Insecure Default Initialization of Resource
In JetBrains Toolbox App before 2.6 the SSH plugin established connections without sufficient user confirmation
CVE-2025-43014
6.5 - Medium
- April 17, 2025
In JetBrains Toolbox App before 2.6 the SSH plugin established connections without sufficient user confirmation
Missing Critical Step in Authentication
In JetBrains Toolbox App before 2.6 host key verification was missing in SSH plugin
CVE-2025-42921
6.5 - Medium
- April 17, 2025
In JetBrains Toolbox App before 2.6 host key verification was missing in SSH plugin
Improper Validation of Certificate with Host Mismatch
In JetBrains Toolbox App before 2.6 unencrypted credential transmission during SSH authentication was possible
CVE-2025-43013
7.5 - High
- April 17, 2025
In JetBrains Toolbox App before 2.6 unencrypted credential transmission during SSH authentication was possible
Cleartext Transmission of Sensitive Information
In JetBrains TeamCity before 2025.03 base64 encoded password could be exposed in build log
CVE-2025-31139
6.5 - Medium
- March 27, 2025
In JetBrains TeamCity before 2025.03 base64 encoded password could be exposed in build log
Insertion of Sensitive Information into Log File
In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page
CVE-2025-31140
6.1 - Medium
- March 27, 2025
In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page
XSS
In JetBrains TeamCity before 2025.03 exception could lead to credential leakage on Cloud Profiles page
CVE-2025-31141
7.5 - High
- March 27, 2025
In JetBrains TeamCity before 2025.03 exception could lead to credential leakage on Cloud Profiles page
Generation of Error Message Containing Sensitive Information
In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources
CVE-2025-26492
9.1 - Critical
- February 11, 2025
In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources
Insufficiently Protected Credentials
In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab
CVE-2025-26493
6.1 - Medium
- February 11, 2025
In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab
XSS
In JetBrains Hub before 2024.3.55417 privilege escalation was possible
CVE-2025-24456
8.8 - High
- January 21, 2025
In JetBrains Hub before 2024.3.55417 privilege escalation was possible via LDAP authentication mapping
Missing Authentication for Critical Function
In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs
CVE-2025-24457
5.5 - Medium
- January 21, 2025
In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs
Insertion of Sensitive Information into Log File
In JetBrains YouTrack before 2024.3.55417 account takeover was possible
CVE-2025-24458
7.8 - High
- January 21, 2025
In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration
Authentication Bypass by Spoofing
In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page
CVE-2025-24459
6.1 - Medium
- January 21, 2025
In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page
XSS
In JetBrains TeamCity before 2024.12.1 improper access control
CVE-2025-24460
4.3 - Medium
- January 21, 2025
In JetBrains TeamCity before 2024.12.1 improper access control allowed to see Projects names in the agent pool
AuthZ
In JetBrains TeamCity before 2024.12.1 decryption of connection secrets without proper permissions was possible
CVE-2025-24461
6.5 - Medium
- January 21, 2025
In JetBrains TeamCity before 2024.12.1 decryption of connection secrets without proper permissions was possible via Test Connection endpoint
AuthZ
JetBrains TeamCity Improper Access Control Vulnerability in Agent Details
CVE-2024-56348
4.3 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents
AuthZ
JetBrains TeamCity XMLParser XXE Vulnerability
CVE-2024-56356
7.1 - High
- December 20, 2024
In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack
XXE
JetBrains TeamCity RemoteBuildLogController XSS Vulnerability
CVE-2024-56355
5.4 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 missing Content-Type header in RemoteBuildLogController response could lead to XSS
XSS
JetBrains TeamCity Password Field Access Vulnerability
CVE-2024-56354
4.9 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 password field value were accessible to users with view settings permission
Insufficiently Protected Credentials
JetBrains TeamCity Backup File Exposure Vulnerability
CVE-2024-56353
6.5 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 backup file exposed user credentials and session cookies
Improper Removal of Sensitive Information Before Storage or Transfer
JetBrains TeamCity Stored XSS Vulnerability in Agent Details Page
CVE-2024-56352
5.4 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 stored XSS was possible via image name on the agent details page
XSS
JetBrains TeamCity Access Token Revocation Failure
CVE-2024-56351
8.8 - High
- December 20, 2024
In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles
Insufficient Session Expiration
JetBrains TeamCity Unauthorized Project Viewing Vulnerability
CVE-2024-56350
4.3 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects
AuthZ
JetBrains TeamCity Improper Access Control Vulnerability in Build Logs
CVE-2024-56349
5.3 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 improper access control allowed unauthorized users to modify build logs
AuthZ
JetBrains YouTrack Punycode Encoding Spoofing Vulnerability
CVE-2024-54158
5.3 - Medium
- December 04, 2024
In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding
Authentication Bypass by Spoofing
JetBrains YouTrack Ruby Syntax Detector ReDoS Vulnerability
CVE-2024-54157
6.5 - Medium
- December 04, 2024
In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector
ReDoS
JetBrains YouTrack Multiple Merge Functions Prototype Pollution Vulnerability
CVE-2024-54156
6.5 - Medium
- December 04, 2024
In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack
Prototype Pollution
JetBrains YouTrack Improper Access Control Vulnerability in Project Listing
CVE-2024-54155
5.3 - Medium
- December 04, 2024
In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication
Missing Authentication for Critical Function
JetBrains YouTrack Path Traversal Vulnerability in Plugin Sandbox
CVE-2024-54154
9.8 - Critical
- December 04, 2024
In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox
Directory traversal
JetBrains YouTrack Unauthenticated Database Backup Download Vulnerability
CVE-2024-54153
6.5 - Medium
- December 04, 2024
In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter
Missing Authentication for Critical Function
JetBrains WebStorm Untrusted Project Mode Code Execution Vulnerability
CVE-2024-52555
7.8 - High
- November 15, 2024
In JetBrains WebStorm before 2024.3 code execution in Untrusted Project mode was possible via type definitions installer script
Acceptance of Extraneous Untrusted Data With Trusted Data
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements
CVE-2024-50582
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements
XSS
In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack
CVE-2024-50581
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag
XSS
In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule
CVE-2024-50580
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule
XSS
In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible
CVE-2024-50579
6.1 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible
XSS
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible
CVE-2024-50578
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page
XSS
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible
CVE-2024-50577
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings
XSS