JetBrains JetBrains Creators of IntelliJ IDEA, ReSharper, PyCharm, TeamCity, Kotlin

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any JetBrains product.

RSS Feeds for JetBrains security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in JetBrains products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by JetBrains Sorted by Most Security Vulnerabilities since 2018

JetBrains Teamcity224 vulnerabilities

JetBrains Youtrack91 vulnerabilities

JetBrains Intellij Idea48 vulnerabilities

JetBrains Hub28 vulnerabilities

JetBrains Ktor20 vulnerabilities

JetBrains Toolbox9 vulnerabilities

JetBrains Pycharm6 vulnerabilities

JetBrains Webstorm5 vulnerabilities

JetBrains Rider5 vulnerabilities

JetBrains Rubymine4 vulnerabilities

JetBrains Phpstorm4 vulnerabilities

JetBrains Goland3 vulnerabilities

JetBrains Clion2 vulnerabilities

JetBrains Mps2 vulnerabilities

JetBrains Rustrover1 vulnerability

JetBrains Dataspell1 vulnerability

JetBrains Datagrip1 vulnerability

JetBrains Aqua1 vulnerability

Known Exploited JetBrains Vulnerabilities

The following JetBrains vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
JetBrains TeamCity Authentication Bypass Vulnerability JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.
CVE-2024-27198 Exploit Probability: 94.6%
March 7, 2024
JetBrains TeamCity Authentication Bypass Vulnerability JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.
CVE-2023-42793 Exploit Probability: 94.6%
October 4, 2023

Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2025 there have been 27 vulnerabilities in JetBrains with an average score of 6.6 out of ten. Last year, in 2024 JetBrains had 103 security vulnerabilities published. Right now, JetBrains is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.44.




Year Vulnerabilities Average Score
2025 27 6.64
2024 103 6.20
2023 53 6.56
2022 73 6.45
2021 88 6.66
2020 57 6.52
2019 57 7.08
2018 1 7.80

It may take a day or so for new JetBrains vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent JetBrains Security Vulnerabilities

In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible

CVE-2025-52875 - June 23, 2025

In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible

XSS

In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible

CVE-2025-52876 - June 23, 2025

In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible

XSS

In JetBrains TeamCity before 2025.03.3 reflected XSS on diskUsageBuildsStats page was possible

CVE-2025-52877 - June 23, 2025

In JetBrains TeamCity before 2025.03.3 reflected XSS on diskUsageBuildsStats page was possible

XSS

In JetBrains TeamCity before 2025.03.3 usernames were exposed to the users without proper permissions

CVE-2025-52878 - June 23, 2025

In JetBrains TeamCity before 2025.03.3 usernames were exposed to the users without proper permissions

AuthZ

In JetBrains TeamCity before 2025.03.3 reflected XSS in the NPM Registry integration was possible

CVE-2025-52879 - June 23, 2025

In JetBrains TeamCity before 2025.03.3 reflected XSS in the NPM Registry integration was possible

XSS

In JetBrains TeamCity before 2025.03.2 stored XSS

CVE-2025-47851 5.4 - Medium - May 20, 2025

In JetBrains TeamCity before 2025.03.2 stored XSS via GitHub Checks Webhook was possible

XSS

In JetBrains TeamCity before 2025.03.2 stored XSS

CVE-2025-47852 5.4 - Medium - May 20, 2025

In JetBrains TeamCity before 2025.03.2 stored XSS via YouTrack integration was possible

XSS

In JetBrains TeamCity before 2025.03.2 stored XSS

CVE-2025-47853 5.4 - Medium - May 20, 2025

In JetBrains TeamCity before 2025.03.2 stored XSS via Jira integration was possible

XSS

In JetBrains TeamCity before 2025.03.2 open redirect was possible on editing VCS Root page

CVE-2025-47854 6.1 - Medium - May 20, 2025

In JetBrains TeamCity before 2025.03.2 open redirect was possible on editing VCS Root page

Open Redirect

In JetBrains TeamCity before 2025.03.1 base64-encoded credentials could be exposed in build logs

CVE-2025-46432 6.5 - Medium - April 25, 2025

In JetBrains TeamCity before 2025.03.1 base64-encoded credentials could be exposed in build logs

Insertion of Sensitive Information into Log File

In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible

CVE-2025-46433 9.8 - Critical - April 25, 2025

In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible

Directory traversal

In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab

CVE-2025-46618 6.1 - Medium - April 25, 2025

In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab

XSS

In JetBrains RubyMine before 2025.1 remote Interpreter overwrote ports to listen on all interfaces

CVE-2025-43015 6.5 - Medium - April 17, 2025

In JetBrains RubyMine before 2025.1 remote Interpreter overwrote ports to listen on all interfaces

Insecure Default Initialization of Resource

In JetBrains Toolbox App before 2.6 the SSH plugin established connections without sufficient user confirmation

CVE-2025-43014 6.5 - Medium - April 17, 2025

In JetBrains Toolbox App before 2.6 the SSH plugin established connections without sufficient user confirmation

Missing Critical Step in Authentication

In JetBrains Toolbox App before 2.6 host key verification was missing in SSH plugin

CVE-2025-42921 6.5 - Medium - April 17, 2025

In JetBrains Toolbox App before 2.6 host key verification was missing in SSH plugin

Improper Validation of Certificate with Host Mismatch

In JetBrains Toolbox App before 2.6 unencrypted credential transmission during SSH authentication was possible

CVE-2025-43013 7.5 - High - April 17, 2025

In JetBrains Toolbox App before 2.6 unencrypted credential transmission during SSH authentication was possible

Cleartext Transmission of Sensitive Information

In JetBrains TeamCity before 2025.03 base64 encoded password could be exposed in build log

CVE-2025-31139 6.5 - Medium - March 27, 2025

In JetBrains TeamCity before 2025.03 base64 encoded password could be exposed in build log

Insertion of Sensitive Information into Log File

In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page

CVE-2025-31140 6.1 - Medium - March 27, 2025

In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page

XSS

In JetBrains TeamCity before 2025.03 exception could lead to credential leakage on Cloud Profiles page

CVE-2025-31141 7.5 - High - March 27, 2025

In JetBrains TeamCity before 2025.03 exception could lead to credential leakage on Cloud Profiles page

Generation of Error Message Containing Sensitive Information

In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources

CVE-2025-26492 9.1 - Critical - February 11, 2025

In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources

Insufficiently Protected Credentials

In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab

CVE-2025-26493 6.1 - Medium - February 11, 2025

In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab

XSS

In JetBrains Hub before 2024.3.55417 privilege escalation was possible

CVE-2025-24456 8.8 - High - January 21, 2025

In JetBrains Hub before 2024.3.55417 privilege escalation was possible via LDAP authentication mapping

Missing Authentication for Critical Function

In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs

CVE-2025-24457 5.5 - Medium - January 21, 2025

In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs

Insertion of Sensitive Information into Log File

In JetBrains YouTrack before 2024.3.55417 account takeover was possible

CVE-2025-24458 7.8 - High - January 21, 2025

In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration

Authentication Bypass by Spoofing

In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page

CVE-2025-24459 6.1 - Medium - January 21, 2025

In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page

XSS

In JetBrains TeamCity before 2024.12.1 improper access control

CVE-2025-24460 4.3 - Medium - January 21, 2025

In JetBrains TeamCity before 2024.12.1 improper access control allowed to see Projects names in the agent pool

AuthZ

In JetBrains TeamCity before 2024.12.1 decryption of connection secrets without proper permissions was possible

CVE-2025-24461 6.5 - Medium - January 21, 2025

In JetBrains TeamCity before 2024.12.1 decryption of connection secrets without proper permissions was possible via Test Connection endpoint

AuthZ

JetBrains TeamCity Improper Access Control Vulnerability in Agent Details

CVE-2024-56348 4.3 - Medium - December 20, 2024

In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents

AuthZ

JetBrains TeamCity XMLParser XXE Vulnerability

CVE-2024-56356 7.1 - High - December 20, 2024

In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack

XXE

JetBrains TeamCity RemoteBuildLogController XSS Vulnerability

CVE-2024-56355 5.4 - Medium - December 20, 2024

In JetBrains TeamCity before 2024.12 missing Content-Type header in RemoteBuildLogController response could lead to XSS

XSS

JetBrains TeamCity Password Field Access Vulnerability

CVE-2024-56354 4.9 - Medium - December 20, 2024

In JetBrains TeamCity before 2024.12 password field value were accessible to users with view settings permission

Insufficiently Protected Credentials

JetBrains TeamCity Backup File Exposure Vulnerability

CVE-2024-56353 6.5 - Medium - December 20, 2024

In JetBrains TeamCity before 2024.12 backup file exposed user credentials and session cookies

Improper Removal of Sensitive Information Before Storage or Transfer

JetBrains TeamCity Stored XSS Vulnerability in Agent Details Page

CVE-2024-56352 5.4 - Medium - December 20, 2024

In JetBrains TeamCity before 2024.12 stored XSS was possible via image name on the agent details page

XSS

JetBrains TeamCity Access Token Revocation Failure

CVE-2024-56351 8.8 - High - December 20, 2024

In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles

Insufficient Session Expiration

JetBrains TeamCity Unauthorized Project Viewing Vulnerability

CVE-2024-56350 4.3 - Medium - December 20, 2024

In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects

AuthZ

JetBrains TeamCity Improper Access Control Vulnerability in Build Logs

CVE-2024-56349 5.3 - Medium - December 20, 2024

In JetBrains TeamCity before 2024.12 improper access control allowed unauthorized users to modify build logs

AuthZ

JetBrains YouTrack Punycode Encoding Spoofing Vulnerability

CVE-2024-54158 5.3 - Medium - December 04, 2024

In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding

Authentication Bypass by Spoofing

JetBrains YouTrack Ruby Syntax Detector ReDoS Vulnerability

CVE-2024-54157 6.5 - Medium - December 04, 2024

In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector

ReDoS

JetBrains YouTrack Multiple Merge Functions Prototype Pollution Vulnerability

CVE-2024-54156 6.5 - Medium - December 04, 2024

In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack

Prototype Pollution

JetBrains YouTrack Improper Access Control Vulnerability in Project Listing

CVE-2024-54155 5.3 - Medium - December 04, 2024

In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication

Missing Authentication for Critical Function

JetBrains YouTrack Path Traversal Vulnerability in Plugin Sandbox

CVE-2024-54154 9.8 - Critical - December 04, 2024

In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox

Directory traversal

JetBrains YouTrack Unauthenticated Database Backup Download Vulnerability

CVE-2024-54153 6.5 - Medium - December 04, 2024

In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter

Missing Authentication for Critical Function

JetBrains WebStorm Untrusted Project Mode Code Execution Vulnerability

CVE-2024-52555 7.8 - High - November 15, 2024

In JetBrains WebStorm before 2024.3 code execution in Untrusted Project mode was possible via type definitions installer script

Acceptance of Extraneous Untrusted Data With Trusted Data

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements

CVE-2024-50582 5.4 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements

XSS

In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack

CVE-2024-50581 5.4 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag

XSS

In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule

CVE-2024-50580 5.4 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule

XSS

In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible

CVE-2024-50579 6.1 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible

XSS

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible

CVE-2024-50578 5.4 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page

XSS

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible

CVE-2024-50577 5.4 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings

XSS

In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API

CVE-2024-50575 6.1 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API

XSS

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.