JetBrains JetBrains Creators of IntelliJ IDEA, ReSharper, PyCharm, TeamCity, Kotlin

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any JetBrains product.

RSS Feeds for JetBrains security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in JetBrains products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by JetBrains Sorted by Most Security Vulnerabilities since 2018

JetBrains Teamcity268 vulnerabilities

JetBrains Youtrack120 vulnerabilities

JetBrains Intellij Idea64 vulnerabilities

JetBrains Hub36 vulnerabilities

JetBrains Ktor21 vulnerabilities

JetBrains Toolbox10 vulnerabilities

JetBrains Pycharm8 vulnerabilities

JetBrains Rider7 vulnerabilities

JetBrains Kotlin7 vulnerabilities

JetBrains Goland5 vulnerabilities

JetBrains Webstorm5 vulnerabilities

JetBrains Rubymine4 vulnerabilities

JetBrains Phpstorm4 vulnerabilities

JetBrains Resharper2 vulnerabilities

JetBrains Clion2 vulnerabilities

JetBrains Mps2 vulnerabilities

JetBrains Junie1 vulnerability

JetBrains Rustrover1 vulnerability

JetBrains Dataspell1 vulnerability

JetBrains Datagrip1 vulnerability

JetBrains Aqua1 vulnerability

Known Exploited JetBrains Vulnerabilities

The following JetBrains vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
JetBrains TeamCity Relative Path Traversal Vulnerability JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.
CVE-2024-27199 Exploit Probability: 100.0%
April 20, 2026
JetBrains TeamCity Authentication Bypass Vulnerability JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.
CVE-2024-27198 Exploit Probability: 99.9%
March 7, 2024
JetBrains TeamCity Authentication Bypass Vulnerability JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.
CVE-2023-42793 Exploit Probability: 100.0%
October 4, 2023

Of the known exploited vulnerabilities above, 3 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 49 vulnerabilities in JetBrains with an average score of 6.4 out of ten. Last year, in 2025 JetBrains had 84 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in JetBrains in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.31.




Year Vulnerabilities Average Score
2026 49 6.39
2025 84 6.07
2024 103 6.20
2023 54 6.54
2022 75 6.48
2021 88 6.66
2020 57 6.38
2019 57 8.28
2018 2 0.00

It may take a day or so for new JetBrains vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent JetBrains Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-61492 Jul 10, 2026
JetBrains YouTrack XSS via article title in digest email before 2026.2.17394 In JetBrains YouTrack before 2026.2.17394 stored XSS via article titles in digest emails was possible
Youtrack
CVE-2026-59796 Jul 10, 2026
JetBrains TeamCity <2026.1.2: Pipeline Mod via Improper Perm Checks In JetBrains TeamCity before 2026.1.2 pipeline modification was possible due to improper permission checks
Teamcity
CVE-2026-59795 Jul 10, 2026
TeamCity XSS via unauth agent reg before 2026.1.2 (JetBrains) In JetBrains TeamCity before 2026.1.2 stored XSS via unauthenticated agent registration was possible
Teamcity
CVE-2026-59794 Jul 10, 2026
JetBrains TeamCity <2026.1.2 XSS via Agent Reported Data on Cloud Profile In JetBrains TeamCity before 2026.1.2 stored XSS on the cloud profile page was possible via agent-reported data
Teamcity
CVE-2026-59793 Jul 10, 2026
TeamCity < 2026.1.2 Perforce VCS arbitrary file access In JetBrains TeamCity before 2026.1.2 arbitrary file access was possible via the Perforce VCS integration
Teamcity
CVE-2026-59792 Jul 10, 2026
JetBrains IntelliJ IDEA <2026.1.4: Path Traversal Exec via Workspace ID In JetBrains IntelliJ IDEA before 2026.1.4, 2026.2 code execution via path traversal in project workspace ID handling was possible
Intellij Idea
CVE-2026-59791 Jul 10, 2026
YouTrack <2026.2.17012: CSS Injection via Mermaid Diagram In JetBrains YouTrack before 2026.2.17012 cSS injection via Mermaid diagram rendering was possible
Youtrack
CVE-2026-53914 Jun 26, 2026
JetBrains Kotlin <2.4.20 Uns. Deser. in Build Cache Metadata Assigner In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata
Kotlin
CVE-2026-57926 Jun 26, 2026
Prototype Pollution in JetBrains YouTrack before 2026.2.16593 Websandbox Bridge In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack
Youtrack
CVE-2026-57925 Jun 26, 2026
YouTrack <2026.2.16593 Improper Access Control Read Queries & Tags In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags
Youtrack
CVE-2026-57924 Jun 26, 2026
YouTrack <=2026.2.16593 Default Role Config Exposes User Profile Details In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details
Youtrack
CVE-2026-57923 Jun 26, 2026
YouTrack <2026.2.16593 Improper Auth on App Config Endpoint In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings
Youtrack
CVE-2026-57922 Jun 26, 2026
JetBrains YouTrack 2026.2.16593 Project Settings Disclosure via MCP In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible
Youtrack
CVE-2026-57921 Jun 26, 2026
YouTrack <2026.2.16593 Improper Access: Read Private Data via Comment Templates In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint
Youtrack
CVE-2026-56142 Jun 19, 2026
Privilege Escalation in JetBrains Hub <2026.1.13757 via Auth Details Attach In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 privilege escalation by attaching authentication details to accounts was possible
Hub
CVE-2026-50242 Jun 19, 2026
JetBrains Hub <2026.1.13757 Auth bypass via DB access In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 authentication bypass via direct database access leading to administrative access was possible
Hub
CVE-2026-56141 Jun 19, 2026
Account takeover via predictable restore codes in JetBrains Hub before 2026.1.13757 In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 account takeover via predictable restore codes was possible
Hub
CVE-2026-53915 Jun 19, 2026
GoLand RCE via Untrusted Assigner in Project Config before 2026.1.3 (JetBrains) In JetBrains GoLand before 2026.1.3 remote code execution was possible via untrusted project configuration
Goland
CVE-2026-49386 May 29, 2026
Improper Access Control in JetBrains YouTrack <2026.1.13570 (Planning Canvas) In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas
Youtrack
CVE-2026-49385 May 29, 2026
YouTrack <2026.1.13570 Improper ACL: Low-Privileged Modifies Service Accounts In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts
Youtrack
CVE-2026-49384 May 29, 2026
PyCharm <2025.3.4 Stored XSS via Jupyter Markdown In JetBrains PyCharm before 2025.3.4 stored XSS in Jupyter notebook Markdown cells was possible
Pycharm
CVE-2026-49383 May 29, 2026
JETBRAINS INTELLIJ IDEA <2026.1 UI Designer XXE in Form Parser In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible
Intellij Idea
CVE-2026-49382 May 29, 2026
IntelliJ IDEA <2026.1: Template Injection Exec CVE-2026-49382 In JetBrains IntelliJ IDEA before 2026.1 code execution was possible via template injection in the Copyright plugin
Intellij Idea
CVE-2026-49381 May 29, 2026
TeamCity XSS via Stored SAML login before 2026.1 In JetBrains TeamCity before 2026.1 stored XSS on the SAML login page was possible
Teamcity
CVE-2026-49380 May 29, 2026
JetBrains TeamCity <2026.1 SAML Plugin Open Redirect In JetBrains TeamCity before 2026.1 open redirect in the SAML plugin was possible
Teamcity
CVE-2026-49379 May 29, 2026
Thread Names Assigner Exposes Credentials in JetBrains TeamCity <2026.1 In JetBrains TeamCity before 2026.1 credentials could be exposed in thread names
Teamcity
CVE-2026-49378 May 29, 2026
JetBrains TeamCity <=2026.1 Credential Exposure via Autocomplete In JetBrains TeamCity before 2026.1 credentials parameters were exposed via parameter autocompletion
Teamcity
CVE-2026-49377 May 29, 2026
JetBrains TeamCity <=2025.11.1 Default Agent Params expose sensitive data In JetBrains TeamCity before 2025.11.2 exposure of sensitive data via default agent parameters
Teamcity
CVE-2026-49376 May 29, 2026
TeamCity<2026.1 Insufficient Username Validation in SAML Plugin Assigner In JetBrains TeamCity before 2026.1 insufficient username validation in the SAML plugin
Teamcity
CVE-2026-49375 May 29, 2026
JetBrains TeamCity <2026.1 Reflected XSS on Repo Download Page In JetBrains TeamCity before 2026.1, 2025.11.5 reflected XSS was possible on the repository download page
Teamcity
CVE-2026-49374 May 29, 2026
TeamCity <2026.1 Improper Perm Checks Expose Config Params In JetBrains TeamCity before 2026.1 improper permission checks exposed build configuration parameters
Teamcity
CVE-2026-49373 May 29, 2026
JetBrains TeamCity <2026.1 RCE via Perforce Connector In JetBrains TeamCity before 2026.1 remote code execution was possible via Perforce connection settings
Teamcity
CVE-2026-49372 May 29, 2026
JetBrains TeamCity <2026.1 SSRF via Build Status (2025.11.5) In JetBrains TeamCity before 2026.1, 2025.11.5 unauthenticated SSRF via build status was possible
Teamcity
CVE-2026-49371 May 29, 2026
JetBrains TeamCity 2026.1.0 Reflected XSS in Keyword Filter In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible
Teamcity
CVE-2026-49370 May 29, 2026
YouTrack 2026.1.13162 Info Disclosure via fetchApp In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests
Youtrack
CVE-2026-49369 May 29, 2026
YouTrack Info Disclosure before 2026.1.13162 on Users/Groups In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages
Youtrack
CVE-2026-49368 May 29, 2026
Stored XSS in YouTrack Notification Templates before 2026.1.13162 In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible
Youtrack
CVE-2026-49367 May 29, 2026
JetBrains IntelliJ IDEA command execution via Guest assigner before 2026.1.1 In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account
Intellij Idea
CVE-2026-49366 May 29, 2026
Command Injection in JetBrains IntelliJ IDEA < 2026.1.1 In JetBrains IntelliJ IDEA before 2026.1.1 command injection was possible via filename completion
Intellij Idea
CVE-2026-44413 May 11, 2026
TeamCity API Unauthorized Access before 2026.1 (JetBrains) In JetBrains TeamCity before 2026.1 2025.11.5 authenticated users could expose server API to unauthorised access
Teamcity
CVE-2026-41882 Apr 30, 2026
Arbitrary File Read via JetBrains IntelliJ IDEA Built-in Web Server (2026.1.1) In JetBrains IntelliJ IDEA before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, 2026.1.1 reading arbitrary local files was possible via built-in web server
Intellij Idea
CVE-2026-41153 Apr 17, 2026
JetBrains Junie<252.549.29: 'Project File Assigner' Command Exec In JetBrains Junie before 252.549.29 command execution was possible via malicious project file
CVE-2026-33392 Apr 17, 2026
YouTrack 2025.3.131383 RCE via Sandbox Bypass (JetBrains) In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass
Youtrack
CVE-2026-32745 Mar 13, 2026
JetBrains Datalore <=2026.0 Session Hijacking via Cookie Secure Attribute In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings
CVE-2026-32229 Mar 11, 2026
Account Mismatch on SignIn in JetBrains Hub <2026.1 (CVE-2026-32229) In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled
Hub
CVE-2026-28193 Feb 25, 2026
JetBrains YouTrack < 2025.3.121962 AuthBreach via perms endpoint In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint
Youtrack
CVE-2026-25848 Feb 09, 2026
JetBrains Hub auth bypass pre-2025.3.119807 permits admin actions In JetBrains Hub before 2025.3.119807 authentication bypass allowing administrative actions was possible
Hub
CVE-2026-25847 Feb 09, 2026
PyCharm 2025.3.1 DOM XSS in Jupyter Viewer In JetBrains PyCharm before 2025.3.2 a DOM-based XSS on Jupyter viewer page was possible
Pycharm
CVE-2026-25846 Feb 09, 2026
JetBrains YouTrack <2025.3.119033 access tokens exposed in mailbox logs In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs
Youtrack
CVE-2025-68269 Dec 16, 2025
JetBrains IntelliJ IDEA <2025.3: SSH Remote Project Confirmation Bypass In JetBrains IntelliJ IDEA before 2025.3 missing confirmation allowed opening of untrusted remote projects over SSH
Intellij Idea
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.