JetBrains JetBrains Creators of IntelliJ IDEA, ReSharper, PyCharm, TeamCity, Kotlin

  1. Vendors
  2. JetBrains

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any JetBrains product.

RSS Feeds for JetBrains security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in JetBrains products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by JetBrains Sorted by Most Security Vulnerabilities since 2018

JetBrains Teamcity264 vulnerabilities

JetBrains Youtrack112 vulnerabilities

JetBrains Intellij Idea63 vulnerabilities

JetBrains Hub33 vulnerabilities

JetBrains Ktor21 vulnerabilities

JetBrains Toolbox10 vulnerabilities

JetBrains Pycharm8 vulnerabilities

JetBrains Rider7 vulnerabilities

JetBrains Webstorm5 vulnerabilities

JetBrains Goland4 vulnerabilities

JetBrains Rubymine4 vulnerabilities

JetBrains Phpstorm4 vulnerabilities

JetBrains Resharper2 vulnerabilities

JetBrains Clion2 vulnerabilities

JetBrains Mps2 vulnerabilities

JetBrains Junie1 vulnerability

JetBrains Rustrover1 vulnerability

JetBrains Dataspell1 vulnerability

JetBrains Datagrip1 vulnerability

JetBrains Aqua1 vulnerability

Known Exploited JetBrains Vulnerabilities

The following JetBrains vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
JetBrains TeamCity Relative Path Traversal Vulnerability JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.
CVE-2024-27199 Exploit Probability: 90.9% 		April 20, 2026
JetBrains TeamCity Authentication Bypass Vulnerability JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.
CVE-2024-27198 Exploit Probability: 93.0% 		March 7, 2024
JetBrains TeamCity Authentication Bypass Vulnerability JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.
CVE-2023-42793 Exploit Probability: 92.9% 		October 4, 2023

Of the known exploited vulnerabilities above, 3 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 31 vulnerabilities in JetBrains with an average score of 6.4 out of ten. Last year, in 2025 JetBrains had 84 security vulnerabilities published. Right now, JetBrains is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.28.




Year Vulnerabilities Average Score
2026 31 6.35
2025 84 6.07
2024 103 6.20
2023 54 6.54
2022 75 6.48
2021 88 6.66
2020 57 6.38
2019 57 8.28
2018 2 0.00

It may take a day or so for new JetBrains vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent JetBrains Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-49386 May 29, 2026
Improper Access Control in JetBrains YouTrack <2026.1.13570 (Planning Canvas) In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas
Youtrack
CVE-2026-49385 May 29, 2026
YouTrack <2026.1.13570 Improper ACL: Low-Privileged Modifies Service Accounts In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts
Youtrack
CVE-2026-49384 May 29, 2026
PyCharm <2025.3.4 Stored XSS via Jupyter Markdown In JetBrains PyCharm before 2025.3.4 stored XSS in Jupyter notebook Markdown cells was possible
Pycharm
CVE-2026-49383 May 29, 2026
JETBRAINS INTELLIJ IDEA <2026.1 UI Designer XXE in Form Parser In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible
Intellij Idea
CVE-2026-49382 May 29, 2026
IntelliJ IDEA <2026.1: Template Injection Exec CVE-2026-49382 In JetBrains IntelliJ IDEA before 2026.1 code execution was possible via template injection in the Copyright plugin
Intellij Idea
CVE-2026-49381 May 29, 2026
TeamCity XSS via Stored SAML login before 2026.1 In JetBrains TeamCity before 2026.1 stored XSS on the SAML login page was possible
Teamcity
CVE-2026-49380 May 29, 2026
JetBrains TeamCity <2026.1 SAML Plugin Open Redirect In JetBrains TeamCity before 2026.1 open redirect in the SAML plugin was possible
Teamcity
CVE-2026-49379 May 29, 2026
Thread Names Assigner Exposes Credentials in JetBrains TeamCity <2026.1 In JetBrains TeamCity before 2026.1 credentials could be exposed in thread names
Teamcity
CVE-2026-49378 May 29, 2026
JetBrains TeamCity <=2026.1 Credential Exposure via Autocomplete In JetBrains TeamCity before 2026.1 credentials parameters were exposed via parameter autocompletion
Teamcity
CVE-2026-49377 May 29, 2026
JetBrains TeamCity <=2025.11.1 Default Agent Params expose sensitive data In JetBrains TeamCity before 2025.11.2 exposure of sensitive data via default agent parameters
Teamcity
CVE-2026-49376 May 29, 2026
TeamCity<2026.1 Insufficient Username Validation in SAML Plugin Assigner In JetBrains TeamCity before 2026.1 insufficient username validation in the SAML plugin
Teamcity
CVE-2026-49375 May 29, 2026
JetBrains TeamCity <2026.1 Reflected XSS on Repo Download Page In JetBrains TeamCity before 2026.1, 2025.11.5 reflected XSS was possible on the repository download page
Teamcity
CVE-2026-49374 May 29, 2026
TeamCity <2026.1 Improper Perm Checks Expose Config Params In JetBrains TeamCity before 2026.1 improper permission checks exposed build configuration parameters
Teamcity
CVE-2026-49373 May 29, 2026
JetBrains TeamCity <2026.1 RCE via Perforce Connector In JetBrains TeamCity before 2026.1 remote code execution was possible via Perforce connection settings
Teamcity
CVE-2026-49372 May 29, 2026
JetBrains TeamCity <2026.1 SSRF via Build Status (2025.11.5) In JetBrains TeamCity before 2026.1, 2025.11.5 unauthenticated SSRF via build status was possible
Teamcity
CVE-2026-49371 May 29, 2026
JetBrains TeamCity 2026.1.0 Reflected XSS in Keyword Filter In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible
Teamcity
CVE-2026-49370 May 29, 2026
YouTrack 2026.1.13162 Info Disclosure via fetchApp In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests
Youtrack
CVE-2026-49369 May 29, 2026
YouTrack Info Disclosure before 2026.1.13162 on Users/Groups In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages
Youtrack
CVE-2026-49368 May 29, 2026
Stored XSS in YouTrack Notification Templates before 2026.1.13162 In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible
Youtrack
CVE-2026-49367 May 29, 2026
JetBrains IntelliJ IDEA command execution via Guest assigner before 2026.1.1 In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account
Intellij Idea
CVE-2026-49366 May 29, 2026
Command Injection in JetBrains IntelliJ IDEA < 2026.1.1 In JetBrains IntelliJ IDEA before 2026.1.1 command injection was possible via filename completion
Intellij Idea
CVE-2026-44413 May 11, 2026
TeamCity API Unauthorized Access before 2026.1 (JetBrains) In JetBrains TeamCity before 2026.1 2025.11.5 authenticated users could expose server API to unauthorised access
Teamcity
CVE-2026-41882 Apr 30, 2026
Arbitrary File Read via JetBrains IntelliJ IDEA Built-in Web Server (2026.1.1) In JetBrains IntelliJ IDEA before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, 2026.1.1 reading arbitrary local files was possible via built-in web server
Intellij Idea
CVE-2026-41153 Apr 17, 2026
JetBrains Junie<252.549.29: 'Project File Assigner' Command Exec In JetBrains Junie before 252.549.29 command execution was possible via malicious project file
CVE-2026-33392 Apr 17, 2026
YouTrack 2025.3.131383 RCE via Sandbox Bypass (JetBrains) In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass
Youtrack
CVE-2026-32745 Mar 13, 2026
JetBrains Datalore <=2026.0 Session Hijacking via Cookie Secure Attribute In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings
CVE-2026-32229 Mar 11, 2026
Account Mismatch on SignIn in JetBrains Hub <2026.1 (CVE-2026-32229) In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled
Hub
CVE-2026-28193 Feb 25, 2026
JetBrains YouTrack < 2025.3.121962 AuthBreach via perms endpoint In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint
Youtrack
CVE-2026-25848 Feb 09, 2026
JetBrains Hub auth bypass pre-2025.3.119807 permits admin actions In JetBrains Hub before 2025.3.119807 authentication bypass allowing administrative actions was possible
Hub
CVE-2026-25847 Feb 09, 2026
PyCharm 2025.3.1 DOM XSS in Jupyter Viewer In JetBrains PyCharm before 2025.3.2 a DOM-based XSS on Jupyter viewer page was possible
Pycharm
CVE-2026-25846 Feb 09, 2026
JetBrains YouTrack <2025.3.119033 access tokens exposed in mailbox logs In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs
Youtrack
CVE-2025-68269 Dec 16, 2025
JetBrains IntelliJ IDEA <2025.3: SSH Remote Project Confirmation Bypass In JetBrains IntelliJ IDEA before 2025.3 missing confirmation allowed opening of untrusted remote projects over SSH
Intellij Idea
CVE-2025-68268 Dec 16, 2025
TeamCity Reflected XSS (Storage Settings) before 2025.11.1 In JetBrains TeamCity before 2025.11.1 reflected XSS was possible on the storage settings page
Teamcity
CVE-2025-68267 Dec 16, 2025
JetBrains TeamCity < 2025.11.1: GitHub PA Token Stored Privilege Escalation In JetBrains TeamCity before 2025.11.1 excessive privileges were possible due to storing GitHub personal access token instead of an installation token
Teamcity
CVE-2025-68166 Dec 16, 2025
JetBrains TeamCity <=2025.10 DOM XSS on OAuth Connections Tab In JetBrains TeamCity before 2025.11 a DOM-based XSS was possible on the OAuth connections tab
Teamcity
CVE-2025-68165 Dec 16, 2025
JetBrains TeamCity pre-2025.11: VCS Root setup Reflected XSS In JetBrains TeamCity before 2025.11 reflected XSS was possible on VCS Root setup
Teamcity
CVE-2025-68164 Dec 16, 2025
JetBrains TeamCity Port Enumeration via Perforce Conn Test (pre-2025.11) In JetBrains TeamCity before 2025.11 port enumeration was possible via the Perforce connection test
Teamcity
CVE-2025-68163 Dec 16, 2025
TeamCity <2025.11: stored XSS on agentpushInstall page In JetBrains TeamCity before 2025.11 stored XSS was possible on agentpushInstall page
Teamcity
CVE-2025-68162 Dec 16, 2025
TeamCity <2025.11: Maven Embedder allows Unrestricted Extension Loading In JetBrains TeamCity before 2025.11 maven embedder allowed loading extensions via project configuration
Teamcity
CVE-2025-67742 Dec 11, 2025
TeamCity < 2025.11 Path Traversal via File Upload (CVE-2025-67742) In JetBrains TeamCity before 2025.11 path traversal was possible via file upload
Teamcity
CVE-2025-67741 Dec 11, 2025
JetBrains TeamCity 2025.10 Stored XSS via session attribute In JetBrains TeamCity before 2025.11 stored XSS was possible via session attribute
Teamcity
CVE-2025-67740 Dec 11, 2025
JetBrains TeamCity <2025.11: Improper Access Control Exposes GH Token Metadata In JetBrains TeamCity before 2025.11 improper access control could expose GitHub App token's metadata
Teamcity
CVE-2025-67739 Dec 11, 2025
JetBrains TeamCity <2025.11.2 Rp URL Validation flaw => Local Path Disclosure In JetBrains TeamCity before 2025.11.2 improper repository URL validation could lead to local paths disclosure
Teamcity
CVE-2025-64773 Nov 11, 2025
YouTrack <2025.3.104432 Race Condition Bypass Helpdesk Agent Limit In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit
Youtrack
CVE-2025-64457 Nov 10, 2025
dotTrace before 2025.2.5 Local Priv Esc via Race Condition In JetBrains ReSharper, Rider and dotTrace before 2025.2.5 local privilege escalation was possible via race condition
Rider
CVE-2025-64456 Nov 10, 2025
ReSharper DPA Collector LPE before 2025.2.4 In JetBrains ReSharper before 2025.2.4 missing signature verification in DPA Collector allows local privilege escalation
Resharper
CVE-2025-64690 Nov 10, 2025
JetBrains YouTrack <2025.3.104432 insecure Junie config: data exfil + auth chg
Youtrack
CVE-2025-64689 Nov 10, 2025
YouTrack <=2025.3.104432 Junie Token Leak via Misconfig
Youtrack
CVE-2025-64688 Nov 10, 2025
JetBrains YouTrack <2025.3.104432 URL Validation Flaw: Unauthorized Repo Access
Youtrack
CVE-2025-64686 Nov 10, 2025
YouTrack<2025.3.104432: Auth Context Reuse via Missing Principal Cleanup
Youtrack
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.